CVE-2025-11374 - Vulnerability Details

- Consul's KV endpoint is vulnerable to denial of service

Description

Consul and Consul Enterprise’s (“Consul”) key/value endpoint is vulnerable to denial of service (DoS) due to incorrect Content Length header validation. This vulnerability, CVE-2025-11374, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.

Published: 2025-10-28

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a flaw in Consul’s key/value store HTTP handling. An attacker can exploit the incorrect validation of the Content‑Length header when sending requests to the KV endpoint, causing the Consul daemon to consume excessive memory and become unresponsive. This results in an availability loss for services that rely on Consul’s data plane and is classified as CWE‑770, Large or Uncontrolled Resource Consumption.

Affected Systems

HashiCorp Consul Community Edition versions up to 1.21.9 and Consul Enterprise versions up to 1.21.5, 1.20.7 and 1.18.11 are affected. The fix is included in Community Edition 1.22.0 and Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, but the EPSS score of less than 1% shows that exploitation attempts are currently rare, and the vulnerability is not listed in CISA’s KEV catalog. It is inferred that the attack vector is network‑based: an attacker must reach the KV API over HTTP or HTTPS and craft a request with a mismatched Content‑Length header. The exploit is straightforward for anyone with network access to the service, so systems without proper segmentation may be at higher risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

HashiCorp

Consul

unaffected

Version	Status	Constraints
`0`	affected	< 1.22.0

HashiCorp

Consul Enterprise

unaffected

Version	Status	Constraints
`0`	affected	< 1.22.0

Configuration 1 [-]

OR	cpe:2.3:a:hashicorp:consul:::::enterprise:::*
	cpe:2.3:a:hashicorp:consul:::::-:::*
	cpe:2.3:a:hashicorp:consul:::::enterprise:::*
	cpe:2.3:a:hashicorp:consul:::::enterprise:::*

No data.

Vendor	Product	Confidence	Versions
Hashicorp	Consul	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to the latest fixed release: Consul Community Edition 1.22.0 or Consul Enterprise 1.22.0, 1.21.6, 1.20.8, or 1.18.12.
Restrict access to the KV endpoint to trusted internal networks or a secure service mesh to reduce exposure to untrusted traffic.
Monitor KV API traffic for abnormal request patterns and apply rate‑limiting or blocking policies against repeated malformed requests.

Generated by OpenCVE AI on April 20, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-7g3r-8c6v-hfmr	Consul key/value endpoint is vulnerable to denial of service

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://discuss.hashicorp.com/t/hcsec-2025-29-consuls-kv-endpoint-is-vulnerable-to-denial-of-service/76724
https://nvd.nist.gov/vuln/detail/CVE-2025-11374
https://www.cve.org/CVERecord?id=CVE-2025-11374

History

Mon, 22 Dec 2025 16:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:hashicorp:consul:::::-:::* cpe:2.3:a:hashicorp:consul:::::enterprise:::*

Thu, 30 Oct 2025 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-11374 https://www.cve.org/CVERecord?id=CVE-2025-11374
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 29 Oct 2025 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hashicorp Hashicorp consul
Vendors & Products		Hashicorp Hashicorp consul

Tue, 28 Oct 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 28 Oct 2025 20:45:00 +0000

Type	Values Removed	Values Added
Description		Consul and Consul Enterprise’s (“Consul”) key/value endpoint is vulnerable to denial of service (DoS) due to incorrect Content Length header validation. This vulnerability, CVE-2025-11374, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.
Title		Consul's KV endpoint is vulnerable to denial of service
Weaknesses		CWE-770
References		https://discuss.hashicorp.com/t/hcsec-2025-29-consuls-kv-endpoint-is-vulnerable-to-denial-of-service/76724
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Hashicorp Consul

MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published: 2025-10-28T20:19:05.292Z

Updated: 2026-04-17T18:34:14.829Z

Reserved: 2025-10-06T15:34:09.965Z

Link: CVE-2025-11374

Vulnrichment

Updated: 2025-10-28T20:36:00.377Z

NVD

Status : Analyzed

Published: 2025-10-28T21:15:37.300

Modified: 2025-12-22T16:05:52.177

Link: CVE-2025-11374

Redhat

Severity : Moderate

Publid Date: 2025-10-28T20:19:05Z

Links: CVE-2025-11374 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-20T16:00:10Z

Weaknesses

CWE-770

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object