Bulletin ID: HCSEC-2025-28
Affected Products / Versions:
Consul Community Edition up to 1.21.5, fixed in 1.22.0.
Consul Enterprise up to 1.21.5, 1.20.7, 1.19.9 and 1.18.11 fixed in 1.22.0, 1.21.6, 1.20.8 and 1.18.12.
Note: Consul Enterprise 1.19 is no longer part of the Long-Term Support (LTS) versions therefore won’t get a fix for this finding. We strongly recommend customers upgrading to a newer version.
Publication Date: October 28, 2025
Summary
Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.
Background
Consul’s event endpoint allows customers to trigger user events across an entire datacenter using Consul’s gossip protocol for propagation. These events serve as signals for automated actions like deployments, service restarts, or orchestration tasks without being understood by Consul itself.
Details
Consul’s event endpoint was not imposing an upper limit on the Content-Length header of incoming HTTP requests. This vulnerability allowed an attacker to send large payloads, which were copied into the buffer, potentially leading to a denial of service (DoS) or system instability due to memory exhaustion.
Remediation
Customers using Consul’s should evaluate the risk associated with this issue and consider upgrading to Consul Community Edition 1.22.0 or Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.
See Consul’s Upgrading documentation for general guidance on this process.
Acknowledgement
This issue was identified by Julien Ahrens from RCE Security (https://www.rcesecurity.com).
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.