Bulletin ID: HCSEC-2025-31
Affected Products / Versions: Vault Community Edition 1.20.3 to 1.20.4; fixed in 1.21.0.
Vault Enterprise 1.20.3 to 1.20.4, 1.19.9 to 1.19.10, 1.18.14 to 1.18.15, 1.16.25 to 1.16.26; fixed in 1.21.0, 1.20.5, 1.19.11, and 1.16.27
Publication Date: October 23, 2025
Summary
Vault and Vault Enterprise (“Vault”) are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for HCSEC-2025-24 which allowed for processing JSON payloads before applying rate limits. This vulnerability, CVE-2025-12044, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.16.27, 1.19.11, 1.20.5, and 1.21.0.
Background
Vault allows operators to configure tunable rate limits and other resource quotas. Due to a regression from the HCSEC-2025-24 fix, rate limits were applied after JSON payload processing rather than before, enabling resource exhaustion.
Details
Every request in Vault is subject to configurable rate limits. In HCSEC-2025-24, Vault fixed processing complex JSON payloads which may exhaust underlying resources depending on the payload. In affected versions, Vault accepted large but valid JSON requests below the max_request_size threshold. Because rate limiting occurred post-parse, repeated payloads could consume CPU and memory resources, resulting in service unavailability or crashes.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault Community Edition 1.21.0 or Vault Enterprise 1.21.0, 1.19.11, and 1.16.27. Please refer to Upgrading Vault for general guidance.
Acknowledgement
This issue was identified by Toni Tauro of Adfinis AG.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.