{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11375", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "state": "PUBLISHED", "assignerShortName": "HashiCorp", "dateReserved": "2025-10-06T15:34:11.889Z", "datePublished": "2025-10-28T20:12:14.325Z", "dateUpdated": "2025-12-09T01:37:57.188Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Consul", "repo": "https://github.com/hashicorp/consul", "vendor": "HashiCorp", "versions": [{"lessThan": "1.22.0", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Consul Enterprise", "repo": "https://github.com/hashicorp/consul", "vendor": "HashiCorp", "versions": [{"changes": [{"at": "1.21.6", "status": "unaffected"}, {"at": "1.20.8", "status": "unaffected"}, {"at": "1.18.12", "status": "unaffected"}], "lessThan": "1.22.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Consul and Consul Enterprise\u2019s (\u201cConsul\u201d) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.</p><br/>"}], "value": "Consul and Consul Enterprise\u2019s (\u201cConsul\u201d) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12."}], "impacts": [{"capecId": "CAPEC-469", "descriptions": [{"lang": "en", "value": "CAPEC-469: HTTP DoS"}]}], "metrics": [{"cvssV3_1": {"baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2025-12-09T01:37:57.188Z"}, "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2025-28-consuls-event-endpoint-is-vulnerable-to-denial-of-service/76723"}], "source": {"advisory": "HCSEC-2025-28", "discovery": "EXTERNAL"}, "title": "Consul's event endpoint is vulnerable to denial of service"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-29T17:34:13.959341Z", "id": "CVE-2025-11375", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-29T17:34:25.690Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11375", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-29T17:34:13.959341Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-29T17:34:21.069Z"}}], "cna": {"title": "Consul's event endpoint is vulnerable to denial of service", "source": {"advisory": "HCSEC-2025-28", "discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-469", "descriptions": [{"lang": "en", "value": "CAPEC-469: HTTP DoS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/hashicorp/consul", "vendor": "HashiCorp", "product": "Consul", "versions": [{"status": "affected", "version": "0", "lessThan": "1.22.0", "versionType": "semver"}], "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "defaultStatus": "unaffected"}, {"repo": "https://github.com/hashicorp/consul", "vendor": "HashiCorp", "product": "Consul Enterprise", "versions": [{"status": "affected", "changes": [{"at": "1.21.6", "status": "unaffected"}, {"at": "1.20.8", "status": "unaffected"}, {"at": "1.18.12", "status": "unaffected"}], "version": "0", "lessThan": "1.22.0", "versionType": "semver"}], "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2025-28-consuls-event-endpoint-is-vulnerable-to-denial-of-service/76723"}], "descriptions": [{"lang": "en", "value": "Consul and Consul Enterprise\u2019s (\u201cConsul\u201d) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.", "supportingMedia": [{"type": "text/html", "value": "<p>Consul and Consul Enterprise\u2019s (\u201cConsul\u201d) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.</p><br/>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2025-12-09T01:37:57.188Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11375", "state": "PUBLISHED", "dateUpdated": "2025-12-09T01:37:57.188Z", "dateReserved": "2025-10-06T15:34:11.889Z", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "datePublished": "2025-10-28T20:12:14.325Z", "assignerShortName": "HashiCorp"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "DE3AEC9A-D84F-4B7C-9B03-D3B8CE2CD319", "versionEndExcluding": "1.18.12", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:*", "matchCriteriaId": "BD19A817-7366-4C2E-ADF9-35DC889EFE58", "versionEndExcluding": "1.22.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "596686CD-4DE0-4C9A-83CC-F07B0D2014DB", "versionEndExcluding": "1.20.8", "versionStartIncluding": "1.19.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "8B688D66-7E0A-4969-9187-D5374EDF68B9", "versionEndExcluding": "1.21.6", "versionStartIncluding": "1.21.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Consul and Consul Enterprise\u2019s (\u201cConsul\u201d) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12."}], "id": "CVE-2025-11375", "lastModified": "2025-12-22T15:55:08.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@hashicorp.com", "type": "Secondary"}]}, "published": "2025-10-28T21:15:37.470", "references": [{"source": "security@hashicorp.com", "tags": ["Vendor Advisory"], "url": "https://discuss.hashicorp.com/t/hcsec-2025-28-consuls-event-endpoint-is-vulnerable-to-denial-of-service/76723"}], "sourceIdentifier": "security@hashicorp.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security@hashicorp.com", "type": "Secondary"}]}

{"bugzilla": {"description": "github.com/hashicorp/consul: Consul's event endpoint is vulnerable to denial of service", "id": "2406931", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2406931"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["Consul and Consul Enterprise\u2019s (\u201cConsul\u201d) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-11375", "package_state": [{"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Fix deferred", "package_name": "devspaces/traefik-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2025-10-28T20:12:14Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-11375\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-11375\nhttps://discuss.hashicorp.com/t/hcsec-2025-28-consuls-event-endpoint-is-vulnerable-to-denial-of-service/76723"], "threat_severity": "Moderate"}

{"created": "2025-10-29T10:57:46.396481+00:00", "updated": "2025-10-29T10:57:46.396504+00:00", "vendors": ["hashicorp", "hashicorp$PRODUCT$consul"]}