Cybersecurity

HashiCorp has disclosed two critical vulnerabilities in its Vault software that could allow attackers to bypass authentication controls and launch denial-of-service (DoS) attacks.

Published on Mon, Oct 23, 2025, these flaws affect both Vault Community Edition and Vault Enterprise, prompting urgent recommendations for upgrades.

The issues, tracked as CVE-2025-12044 and CVE-2025-11621, stem from misconfigurations in resource handling and authentication caching, potentially exposing sensitive data in enterprise environments.

Vault, a widely used tool for secrets management, encryption, and identity-based access, serves as a cornerstone for secure operations in cloud and hybrid infrastructures.

Denial-of-Service Flaw Through JSON Payload Exploitation

The first vulnerability, CVE-2025-12044, enables an unauthenticated DoS attack by exploiting a regression in JSON payload processing.

This flaw arises from a previous fix for a complex JSON payload issue that could exhaust resources. In affected versions, Vault applies rate limits after parsing incoming JSON requests rather than before, allowing attackers to flood the system with large, valid payloads under the max_request_size threshold.

Operators configure tunable rate limits and resource quotas in Vault to prevent abuse, but this ordering error lets repeated requests consume excessive CPU and memory, leading to service unavailability or crashes. No CVSS score was immediately provided, but the unauthenticated nature elevates its severity, which HashiCorp rates as high risk.

This issue impacts Vault Community Edition versions 1.20.3 to 1.20.4, with fixes available in 1.21.0. For Vault Enterprise, affected releases span 1.20.3 to 1.20.4, 1.19.9 to 1.19.10, 1.18.14 to 1.18.15, and 1.16.25 to 1.16.26, patched in 1.21.0, 1.20.5, 1.19.11, and 1.16.27.

Authentication Bypass In AWS And EC2 Methods

The second vulnerability, CVE-2025-11621, poses a significant threat by allowing authentication bypass in Vault’s AWS Auth method.

This method automates token retrieval for IAM principals and EC2 instances, but a flaw in the caching logic fails to validate the AWS account ID. If the bound_principal_iam role matches across accounts or uses wildcards, an attacker from a different account can impersonate a legitimate user, leading to unauthorized access, data exposure, and privilege escalation.

A parallel issue affects the EC2 authentication method, where cache lookups only check AMI IDs, not account IDs, enabling cross-account attacks.

This flaw underscores the risks of wildcard configurations in multi-account setups, as discovered by security researcher Pavlos Karakalidis.

Affected versions are broader: Vault Community Edition from 0.6.0 to 1.20.4 (fixed in 1.21.0), and Vault Enterprise from 0.6.0 to 1.20.4, plus 1.19.10, 1.18.15, and 1.16.26 (fixed in 1.21.0, 1.20.5, 1.19.11, and 1.16.27).

Mitigations

HashiCorp urges immediate upgrades to patched versions, following the official upgrading guide.

For those unable to update promptly, review AWS auth configurations: eliminate wildcards in bound_principal_iam and audit for role name collisions across accounts. Enable stricter account ID validation where possible.

These vulnerabilities highlight the importance of maintaining updated secrets management tools to prevent potential breaches.