CVE-2025-11375

MEDIUM

Consul < 1.18.12, 1.19.0-1.21.5, 1.22.0 - Denial of Service via Event Endpoint

Title source: llm

Description

Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.

References (1)

Core 1

Core References

Vendor Advisory

https://discuss.hashicorp.com/t/hcsec-2025-28-consuls-event-endpoint-is-vulnerable-to-denial-of-service/76723

Scores

CVSS v3 6.5

EPSS 0.0004

EPSS Percentile 12.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (3)

hashicorp/consul < 1.18.12

hashicorp/consul < 1.22.0

hashicorp/consul 0 - 1.22.0Go

Published Oct 28, 2025

Tracked Since Feb 18, 2026