CVE-2025-12044

Source
https://cve.org/CVERecord?id=CVE-2025-12044
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-12044.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-12044
Aliases
Downstream
Related
Published
2025-10-23T19:15:16.567Z
Modified
2026-07-08T06:53:17.922804854Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Vault Vulnerable to Denial of Service Due to Rate Limit Regression
Details

Vault and Vault Enterprise (“Vault”) are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for [+HCSEC-2025-24+|https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393]  which allowed for processing JSON payloads before applying rate limits. This vulnerability, CVE-2025-12044, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.16.27, 1.19.11, 1.20.5, and 1.21.0.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "1.19.9"
                },
                {
                    "fixed": "1.19.11"
                },
                {
                    "introduced": "1.18.14"
                },
                {
                    "fixed": "1.18.15"
                },
                {
                    "introduced": "1.16.25"
                },
                {
                    "fixed": "1.16.27"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/12xxx/CVE-2025-12044.json",
    "cna_assigner": "HashiCorp",
    "cwe_ids": [
        "CWE-770"
    ]
}
References

Affected packages

Git / github.com/hashicorp/vault

Affected ranges

Type
GIT
Repo
https://github.com/hashicorp/vault
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*",
    "extracted_events": [
        {
            "introduced": "1.20.3"
        },
        {
            "fixed": "1.21.0"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-12044.json"