CVE-2025-11374

MEDIUM

Consul < 1.22.0 - Denial of Service via KV Endpoint Content Length Header

Title source: llm

Description

Consul and Consul Enterprise’s (“Consul”) key/value endpoint is vulnerable to denial of service (DoS) due to incorrect Content Length header validation. This vulnerability, CVE-2025-11374, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.

References (1)

Core 1

Core References

Vendor Advisory

https://discuss.hashicorp.com/t/hcsec-2025-29-consuls-kv-endpoint-is-vulnerable-to-denial-of-service/76724

Scores

CVSS v3 6.5

EPSS 0.0004

EPSS Percentile 12.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (5)

hashicorp/consul < 1.18.12

hashicorp/consul < 1.22.0

HashiCorp/Consul < 1.22.0

hashicorp/consul 0 - 1.22.0Go

HashiCorp/Consul Enterprise < 1.22.0

Published Oct 28, 2025

Tracked Since Feb 18, 2026