Vault Community and Vault Enterprise rekey and recovery key operations can lead to a denial of service due to uncontrolled cancellation by a Vault operator. This vulnerability (CVE-2025-4656) has been remediated in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11, 1.17.17, and 1.16.22.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 13 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Hashicorp
Hashicorp vault
CPEs cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*
cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*
Vendors & Products Hashicorp
Hashicorp vault

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00043}

epss

{'score': 0.00013}


Thu, 26 Jun 2025 00:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Low


Wed, 25 Jun 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 25 Jun 2025 16:30:00 +0000

Type Values Removed Values Added
Description Vault Community and Vault Enterprise rekey and recovery key operations can lead to a denial of service due to uncontrolled cancellation by a Vault operator. This vulnerability (CVE-2025-4656) has been remediated in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11, 1.17.17, and 1.16.22.
Title Vault Vulnerable to Recovery Key Cancellation Denial of Service
Weaknesses CWE-1088
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published:

Updated: 2025-06-25T20:05:45.581Z

Reserved: 2025-05-13T15:30:55.244Z

Link: CVE-2025-4656

cve-icon Vulnrichment

Updated: 2025-06-25T20:05:29.383Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-25T17:15:38.440

Modified: 2025-08-13T18:02:04.647

Link: CVE-2025-4656

cve-icon Redhat

Severity : Low

Publid Date: 2025-06-25T16:15:11Z

Links: CVE-2025-4656 - Bugzilla

cve-icon OpenCVE Enrichment

No data.