Introduction
Denial of service attacks against secrets management infrastructure can halt application deployments, disrupt credential rotation, and undermine operational continuity for organizations relying on automated workflows. CVE-2025-12044 exposes a high-severity flaw in HashiCorp Vault and Vault Enterprise, allowing unauthenticated attackers to exhaust system resources simply by sending repeated JSON API requests. This vulnerability is the result of a regression in the request processing pipeline, where rate limiting was incorrectly applied after expensive JSON parsing operations.
HashiCorp is a major provider of infrastructure automation tools, with Vault widely used for secrets management, encryption as a service, and privileged access workflows. Vault is deployed by thousands of organizations globally, spanning industries from finance to technology, and is a foundational component in many cloud and on-premises security architectures. The impact of a denial of service vulnerability in Vault is therefore significant, potentially affecting a broad spectrum of critical infrastructure.
Technical Information
CVE-2025-12044 is a regression vulnerability introduced after the fix for CVE-2025-6203 (HCSEC-2025-24). The initial vulnerability allowed attackers to send complex but valid JSON payloads that, while under the maximum request size, would consume excessive CPU and memory during parsing and audit operations. To mitigate this, HashiCorp introduced new listener configuration parameters that limit JSON structure complexity, such as maximum nesting depth and string length.
However, the fix inadvertently left a gap: in affected versions, Vault processes and parses the JSON payload before applying rate limiting. This means that an attacker can send repeated HTTP requests with valid, resource-intensive JSON bodies. Each request is parsed and consumes system resources before the rate limiter checks if the client has exceeded their quota. Because the rate limiting occurs after parsing, an unauthenticated attacker can exhaust CPU and memory simply by sending enough requests, potentially leading to degraded performance or service outages.
The vulnerability is classified as CWE-770: Allocation of Resources Without Limits or Throttling. The attack requires only network access to the Vault API endpoint and does not require authentication or special privileges. The issue is resolved in patched versions where the request processing order is corrected so that rate limiting is enforced before JSON parsing.
Affected Systems and Versions
The following versions are affected:
Vault Community Edition:
- Versions 1.20.3 through 1.20.4
Vault Enterprise:
- Versions 1.20.3 to 1.20.4
- Versions 1.19.9 to 1.19.10
- Versions 1.18.14 to 1.18.15
- Versions 1.16.25 to 1.16.26
Fixed versions:
- Vault Community Edition 1.21.0
- Vault Enterprise 1.16.27, 1.19.11, 1.20.5, and 1.21.0
The vulnerability affects all configurations where Vault API endpoints are exposed to network access, especially those accessible from untrusted networks.
Vendor Security History
HashiCorp has previously addressed a similar denial of service vulnerability in Vault related to complex JSON payloads (CVE-2025-6203, HCSEC-2025-24). The recurrence of a related issue as a regression highlights the complexity of securely evolving request processing logic. HashiCorp's security advisories are transparent and the company provides patches across multiple supported version lines, reflecting a mature response process. However, the need for improved regression testing and validation is evident given the sequence of related vulnerabilities.
