HashiCorp has recently identified and disclosed two significant security vulnerabilities within its Vault software, a widely utilized tool for secrets management, encryption, and identity-based access. These vulnerabilities, cataloged as CVE-2025-12044 and CVE-2025-11621, pose substantial risks, including the potential for attackers to bypass authentication mechanisms and execute denial-of-service (DoS) attacks. Both the Vault Community Edition and Vault Enterprise are affected, prompting HashiCorp to recommend immediate software updates to mitigate these threats.
Denial-of-Service Vulnerability via JSON Payloads (CVE-2025-12044):
The first vulnerability, CVE-2025-12044, allows unauthenticated attackers to initiate DoS attacks by exploiting a flaw in the processing of JSON payloads. This issue originates from a regression introduced in a previous fix (HCSEC-2025-24) that aimed to address resource exhaustion caused by complex JSON payloads. In the affected versions, Vault applies rate limits after parsing incoming JSON requests instead of before, enabling attackers to send large, valid payloads that fall under the maximum request size threshold. This oversight permits repeated requests that consume excessive CPU and memory resources, potentially leading to service unavailability or crashes.
The affected versions include Vault Community Edition versions 1.20.3 to 1.20.4, with fixes available in version 1.21.0. For Vault Enterprise, the impacted releases are 1.20.3 to 1.20.4, 1.19.9 to 1.19.10, 1.18.14 to 1.18.15, and 1.16.25 to 1.16.26, with patches provided in versions 1.21.0, 1.20.5, 1.19.11, and 1.16.27.
Authentication Bypass in AWS and EC2 Methods (CVE-2025-11621):
The second vulnerability, CVE-2025-11621, presents a more severe threat by enabling authentication bypasses within Vault’s AWS authentication method. This method facilitates automated token retrieval for IAM principals and EC2 instances. However, a flaw in the caching logic fails to validate the AWS account ID. If the `bound_principal_iam` role matches across accounts or utilizes wildcards, an attacker from a different account could impersonate a legitimate user, leading to unauthorized access, data exposure, and potential privilege escalation.
A similar issue affects the EC2 authentication method, where cache lookups only verify AMI IDs without considering account IDs, thereby enabling cross-account attacks. This vulnerability was discovered by security researcher Pavlos Karakalidis, who coordinated the disclosure with HashiCorp. The flaw underscores the risks associated with wildcard configurations in multi-account setups.
The affected versions are extensive: Vault Community Edition from 0.6.0 to 1.20.4 (fixed in 1.21.0), and Vault Enterprise from 0.6.0 to 1.20.4, plus 1.19.10, 1.18.15, and 1.16.26 (fixed in 1.21.0, 1.20.5, 1.19.11, and 1.16.27).
Mitigation Measures:
To address these vulnerabilities, HashiCorp has released patches and strongly advises users to upgrade to the fixed versions promptly. For those unable to update immediately, it is recommended to review AWS authentication configurations, eliminate wildcards in `bound_principal_iam`, and audit for role name collisions across accounts.
These vulnerabilities highlight the ongoing challenges in balancing performance with robust security, especially as organizations increasingly rely on automated authentication methods like AWS integration. Ensuring that systems are updated and configurations are reviewed is crucial to maintaining the security and integrity of sensitive data managed by HashiCorp Vault.
