Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint . An attacker may send a large volume of requests to the endpoint which may cause Vault to consume excessive system memory resources, potentially leading to a crash of the underlying system and the Vault process itself.

This vulnerability, CVE-2024-8185, is fixed in Vault Community 1.18.1 and Vault Enterprise 1.18.1, 1.17.8, and 1.16.12.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 07 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*
cpe:2.3:a:hashicorp:vault:1.18.0:*:*:*:enterprise:*:*:*

Fri, 01 Nov 2024 02:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Thu, 31 Oct 2024 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Hashicorp
Hashicorp vault
CPEs cpe:2.3:a:hashicorp:vault:*:*:*:*:community:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*
Vendors & Products Hashicorp
Hashicorp vault
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 31 Oct 2024 15:30:00 +0000

Type Values Removed Values Added
Description Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint . An attacker may send a large volume of requests to the endpoint which may cause Vault to consume excessive system memory resources, potentially leading to a crash of the underlying system and the Vault process itself. This vulnerability, CVE-2024-8185, is fixed in Vault Community 1.18.1 and Vault Enterprise 1.18.1, 1.17.8, and 1.16.12.
Title Vault Vulnerable to Denial of Service When Processing Raft Join Requests
Weaknesses CWE-636
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published:

Updated: 2024-10-31T17:11:35.647Z

Reserved: 2024-08-26T16:24:04.547Z

Link: CVE-2024-8185

cve-icon Vulnrichment

Updated: 2024-10-31T16:58:16.160Z

cve-icon NVD

Status : Analyzed

Published: 2024-10-31T16:15:06.267

Modified: 2025-08-07T19:14:38.363

Link: CVE-2024-8185

cve-icon Redhat

Severity : Important

Publid Date: 2024-10-31T15:14:55Z

Links: CVE-2024-8185 - Bugzilla

cve-icon OpenCVE Enrichment

No data.