VDB

HCSEC-2025-31

HCSEC-2025-31 PUBLISHED

**Bulletin ID:** HCSEC-2025-31 **Affected Products / Versions:** Vault Community Edition 1.20.3 to 1.20.4; fixed in 1.21.0. Vault Enterprise 1.20.3 to 1.20.4, 1.19.9 to 1.19.10, 1.18.14 to 1.18.15, 1.16.25 to 1.16.26; fixed in 1.21.0, 1.20.5, 1.19.11, and 1.16.27 **Publication Date:** October 23, 2025 **Summary** Vault and Vault Enterprise (“Vault”) are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for [HCSEC-2025-24](https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393) which allowed for processing JSON payloads before applying rate limits. This vulnerability, CVE-2025-12044, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.16.27, 1.19.11, 1.20.5, and 1.21.0. **Background** Vault allows operators to configure [tunable rate limits](https://developer.hashicorp.com/vault/docs/concepts/resource-quotas#rate-limit-quotas) and other resource quotas. Due to a regression from the [HCSEC-2025-24](https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393) fix, rate limits were applied after JSON payload processing rather than before, enabling resource exhaustion. **Details** Every request in Vault is subject to configurable rate limits. In [HCSEC-2025-24](https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393), Vault fixed processing complex JSON payloads which may exhaust underlying resources depending on the payload. In affected versions, Vault accepted large but valid JSON requests below the [max_request_size](https://developer.hashicorp.com/vault/docs/internals/limits?#request-size) threshold. Because rate limiting occurred post-parse, repeated payloads could consume CPU and memory resources, resulting in service unavailability or crashes. **Remediation** Customers should evaluate the risk associated with this issue and consider upgrading to Vault Community Edition 1.21.0 or Vault Enterprise 1.21.0, 1.19.11, and 1.16.27. Please refer to [Upgrading Vault](https://developer.hashicorp.com/vault/docs/upgrading) for general guidance. **Acknowledgement** This issue was identified by Toni Tauro of Adfinis AG. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*

Timeline

  • Oct 23, 2025 CVE Published

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›