HashiCorp has disclosed two critical vulnerabilities in Vault and Vault Enterprise that could enable attackers to bypass authentication mechanisms and launch denial-of-service attacks against infrastructure.
The first vulnerability, identified under Bulletin ID HCSEC-2025-31, stems from a regression in how Vault processes JSON payloads.
According to HashiCorp’s disclosure published on October 23, 2025, the vulnerability allows unauthenticated attackers to trigger denial-of-service conditions by submitting specially crafted JSON requests.
The vulnerability exists because rate limiting mechanisms are applied after JSON payload processing rather than before, enabling resource exhaustion through repeated requests.
The vulnerabilities, tracked as CVE-2025-12044 and CVE-2025-11621, underscore emerging risks in widely-deployed secrets management solutions and require immediate attention from affected organizations.
Threat actors can exploit this weakness to consume CPU and memory resources, potentially causing service unavailability or complete system crashes.
The affected versions include Vault Community Edition 1.20.3 to 1.20.4 and multiple enterprise versions spanning 1.16.25 through 1.20.4.
The issue represents a regression from a previous security patch addressing similar JSON processing problems, indicating that remediation efforts inadvertently reintroduced the underlying vulnerability in a different form.
HashiCorp Vault Vulnerabilities
The second vulnerability, tracked as CVE-2025-11621 under Bulletin ID HCSEC-2025-30, presents a more severe risk by enabling authentication bypass in Vault’s AWS authentication method.
This vulnerability affects Vault Community Edition 0.6.0 through 1.20.4 and corresponding enterprise versions.
An attacker with an identical IAM role name across different AWS accounts—or one that matches due to wildcard configurations—can authenticate as legitimate users without proper credentials.
The vulnerability stems from improper cache validation in Vault’s AWS auth method. When validating STS roles, the system checks for role existence in AWS but fails to validate the associated account ID.
This oversight creates a significant security gap: if an operator configures bound_principal_arn with wildcards or identical role names span multiple AWS accounts, an attacker in a different account can forge authentication tokens and gain unauthorized access to sensitive secrets and infrastructure credentials.
A related issue affects Vault’s EC2 authentication method, where cache lookups validate only AMI IDs without verifying account IDs.
This vulnerabilities enables cross-account privilege escalation, allowing attackers to authenticate from different AWS accounts and potentially perform lateral movement across organizational boundaries.
HashiCorp recommends all affected customers upgrade to patched versions immediately: Vault Community Edition 1.21.0 or Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27.
Organizations unable to upgrade should review AWS auth method configurations for role name collisions and remove wildcards from bound_principal_iam settings.
The vulnerabilities were discovered by Toni Tauro of Adfinis AG and Pavlos Karakalidis. Given Vault’s critical role in managing encryption keys, database credentials, and API tokens across enterprises, these vulnerabilities pose substantial risk to organizations relying on Vault for secrets management.
Organizations should prioritize patching efforts, particularly those leveraging AWS authentication methods with cross-account access patterns.
The combination of DoS and authentication bypass vulnerabilities demonstrates the importance of maintaining current Vault deployments and implementing defense-in-depth strategies for infrastructure security.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
