HashiCorp has disclosed two critical vulnerabilities in its Vault software that could allow attackers to bypass authentication controls and launch denial-of-service (DoS) attacks.
Published on October 23, 2025, these flaws affect both Vault Community Edition and Vault Enterprise, prompting urgent recommendations for upgrades.
The issues, tracked as CVE-2025-12044 and CVE-2025-11621, stem from misconfigurations in resource handling and authentication caching, potentially exposing sensitive data in enterprise environments.
Vault, a widely used tool for secrets management, encryption, and identity-based access, serves as a cornerstone for secure operations in cloud and hybrid infrastructures.
These vulnerabilities highlight ongoing challenges in balancing performance with robust security, especially as organizations increasingly rely on automated authentication methods like AWS integration.
Denial-of-Service Flaw Through JSON Payload Exploitation
The first vulnerability, CVE-2025-12044 (HCSEC-2025-30), enables an unauthenticated DoS attack by exploiting a regression in JSON payload processing.
This flaw arises from a previous fix for HCSEC-2025-24, which addressed complex JSON payloads that could exhaust resources.
In affected versions, Vault applies rate limits after parsing incoming JSON requests rather than before, allowing attackers to flood the system with large, valid payloads under the max_request_size threshold.
Operators configure tunable rate limits and resource quotas in Vault to prevent abuse, but this ordering error lets repeated requests consume excessive CPU and memory.
The result? Service unavailability or outright crashes disrupt access to critical secrets and keys. No CVSS score was immediately provided, but the unauthenticated nature elevates its severity, which HashiCorp rates as high risk.
This issue impacts Vault Community Edition versions 1.20.3 to 1.20.4, with fixes available in 1.21.0.
For Vault Enterprise, affected releases span 1.20.3 to 1.20.4, 1.19.9 to 1.19.10, 1.18.14 to 1.18.15, and 1.16.25 to 1.16.26, patched in 1.21.0, 1.20.5, 1.19.11, and 1.16.27.
Authentication Bypass In AWS And EC2 Methods
The second vulnerability, CVE-2025-11621 (also HCSEC-2025-30), poses an even graver threat by allowing authentication bypass in Vault’s AWS Auth method.
This method automates token retrieval for IAM principals and EC2 instances, but a flaw in the caching logic fails to validate the AWS account ID.
If the bound_principal_iam role matches across accounts or uses wildcards, an attacker from a different account can impersonate a legitimate user, leading to unauthorized access, data exposure, and privilege escalation.
A parallel issue affects the EC2 authentication method, where cache lookups only check AMI IDs, not account IDs, enabling cross-account attacks.
Discovered by security researcher Pavlos Karakalidis, who coordinated disclosure with HashiCorp, this flaw underscores the risks of wildcard configurations in multi-account setups.
Affected versions are broader: Vault Community Edition from 0.6.0 to 1.20.4 (fixed in 1.21.0), and Vault Enterprise from 0.6.0 to 1.20.4, plus 1.19.10, 1.18.15, and 1.16.26 (fixed in 1.21.0, 1.20.5, 1.19.11, and 1.16.27).
| CVE ID | Description | Affected Products/Versions | CVSS Score | Fix Versions |
|---|---|---|---|---|
| CVE-2025-12044 | Unauthenticated DoS via JSON payloads | Community: 1.20.3-1.20.4 Enterprise: 1.20.3-1.20.4, 1.19.9-1.19.10, 1.18.14-1.18.15, 1.16.25-1.16.26 |
High (est.) | Community: 1.21.0 Enterprise: 1.21.0, 1.20.5, 1.19.11, 1.16.27 |
| CVE-2025-11621 | AWS/EC2 auth bypass via cache flaw | Community: 0.6.0-1.20.4 Enterprise: 0.6.0-1.20.4, 1.19.10, 1.18.15, 1.16.26 |
High | Community: 1.21.0 Enterprise: 1.21.0, 1.20.5, 1.19.11, 1.16.27 |
Mitigations
HashiCorp urges immediate upgrades to patched versions, following the official upgrading guide.
For those unable to update promptly, review AWS auth configurations: eliminate wildcards in bound_principal_iam and audit for role name collisions across accounts. Enable stricter account ID validation where possible.
These vulnerabilities arrive amid rising scrutiny on secrets management tools, as attackers target them for initial footholds. Organizations using Vault in production should prioritize patching to safeguard against exploitation, which could cascade into broader breaches.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
