Vault and Vault Enterprise (“Vault”) are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for [+HCSEC-2025-24+|https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393] which allowed for processing JSON payloads before applying rate limits. This vulnerability, CVE-2025-12044, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.16.27, 1.19.11, 1.20.5, and 1.21.0.
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "1.19.9"
},
{
"fixed": "1.19.11"
},
{
"introduced": "1.18.14"
},
{
"fixed": "1.18.15"
},
{
"introduced": "1.16.25"
},
{
"fixed": "1.16.27"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/12xxx/CVE-2025-12044.json",
"cna_assigner": "HashiCorp",
"cwe_ids": [
"CWE-770"
]
}