Bulletin ID: HCSEC-2025-11
Affected Products / Versions:
Vault Community Edition from 1.14.8 up to 1.19.5, fixed in 1.20.0.
Vault Enterprise from 1.14.8 up to 1.19.5, 1.18.10, 1.17.16, 1.16.21, fixed in 1.20.0, 1.19.6, 1.18.11, 1.17.17, 1.16.22
Publication Date: June 25, 2024
Summary
Vault Community and Vault Enterprise rekey and recovery key operations can lead to a denial of service due to uncontrolled cancellation by a Vault operator. This vulnerability (CVE-2025-4656) has been remediated in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11, 1.17.17, and 1.16.22.
Background
The rekey operation allows an operator to rekey Vault’s unseal keys. When using a seal that supports stored keys such as PKCS #11, an operator provides the number of shares and the threshold required to unseal the root key. In addition, this rekey operation cannot be run concurrently.
A nonce is provided to identify the rekey operation, which can track the progress of the rekey operation.
In order to modify the number of shares and threshold required, an operator must cancel the operation in progress and restart the request. This functionality extends to the recovery keys as well.
Details
Due to the nature of the request, these endpoints are unauthenticated, instead using recovery or seal key fragment challenge/response in lieu of API authentication. This can lead to a denial of service attack by which a malicious actor could cancel this operation and reset the number of shares needed.
This allows an attacker to cancel the operation and deny Vault access to clients until the operator initiates the rekey operation again.
Upon overloading the in-flight cancellation request, a single warn-level log event is emitted:
2025-05-13T12:22:48.575-0500 [WARN] core: shamir stored keys supported, forcing rekey shares/threshold to 1
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading Vault Community Edition 1.20.0, or Vault Enterprise 1.20.0, 1.19.6, 1.18.11, 1.17.17, or 1.16.22.
Acknowledgement
This issue was identified by Alex Scheel from GitLab.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.