Ddos 
Two high-severity vulnerabilities disclosed by HashiCorp could expose Vault deployments to denial-of-service (DoS) attacks and cross-account authentication bypasses, prompting urgent patching recommendations from the company.
HashiCorp confirmed that Vault and Vault Enterprise are vulnerable to an unauthenticated denial of service when processing JSON payloads due to a regression introduced after an earlier fix for HCSEC-2025-24. The flaw, tracked as CVE-2025-12044 (CVSS 7.5), stems from a change that “allowed for processing JSON payloads before applying rate limits,” thereby defeating intended protection mechanisms against resource exhaustion.
According to the advisory, “rate limits were applied after JSON payload processing rather than before, enabling resource exhaustion.” Attackers could exploit this by repeatedly sending large but valid JSON requests within allowed thresholds, consuming CPU and memory until the service becomes unresponsive or crashes.
The second vulnerability, CVE-2025-11621 (CVSS 8.1), affects Vault’s AWS Auth method and could allow an attacker to bypass authentication in multi-account environments. The flaw arises when the same IAM role name exists across different AWS accounts or when a wildcard (*) is used in the bound_principal_iam configuration.
HashiCorp’s advisory explains: “Vault’s AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard.” The underlying issue is that “the cache did not validate the account ID when querying,” meaning an attacker could authenticate with a matching role name from a separate account.
The company warns that this behavior “can lead to sensitive data exposure and potential opportunities for additional privilege escalation.” Moreover, a related flaw exists in the EC2 authentication method, which “validates only ami_id but not the account ID,” potentially enabling similar cross-account abuse.
As with CVE-2025-12044, fixes have been implemented in the same patched versions. Organizations unable to upgrade should review connected AWS accounts for role name collisions and remove wildcards from the bound_principal_iam field to mitigate potential exposure.
The company has addressed these flaws in the latest releases: Vault Community Edition 1.21.0 and Vault Enterprise 1.16.27, 1.19.11, 1.20.5, and 1.21.0. Administrators are advised to upgrade immediately. HashiCorp also recommended reviewing its Upgrading Vault documentation for general guidance.
Related Posts:
- Azure Key Vault Vulnerability: Exploiting Role Misconfigurations for Privilege Escalation
- Veritas Enterprise Vault Vulnerability Could Allow Remote Code Execution
- IBM Completes Acquisition of HashiCorp, Ushering in New Era of Hybrid Cloud Automation
Donate