CVE-2025-11375: 
Consul vulnerability analysis and mitigation

Consul and Consul Enterprise's event endpoint was identified with a denial of service (DoS) vulnerability tracked as CVE-2025-11375. The vulnerability was discovered on October 28, 2025, affecting Consul Community Edition up to version 1.21.5 and Consul Enterprise up to versions 1.21.5, 1.20.7, 1.19.9, and 1.18.11. The issue stems from the lack of a maximum value limit on the Content-Length header in the event endpoint (HashiCorp Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium), with an attack vector of Network, low attack complexity, low privileges required, and no user interaction needed. The vulnerability specifically affects the event endpoint that allows customers to trigger user events across an entire datacenter using Consul's gossip protocol for propagation. The technical issue involves the endpoint's failure to impose an upper limit on the Content-Length header of incoming HTTP requests (AttackerKB, Miggo).

The vulnerability allows attackers to send large payloads that are copied into the buffer, potentially leading to denial of service conditions or system instability through memory exhaustion. This affects the availability of the system while leaving confidentiality and integrity intact (HashiCorp Advisory).

The vulnerability has been fixed in Consul Community Edition 1.22.0 and Consul Enterprise versions 1.22.0, 1.21.6, 1.20.8, and 1.18.12. Organizations are strongly recommended to upgrade to these patched versions. Note that Consul Enterprise 1.19 is no longer part of the Long-Term Support (LTS) versions and will not receive a fix, so customers using this version should upgrade to a newer supported version (HashiCorp Advisory).

The vulnerability was responsibly disclosed by Julien Ahrens from RCE Security, demonstrating ongoing security research engagement with HashiCorp's products. HashiCorp has acknowledged the researcher's contribution through their security coordination program (HashiCorp Advisory).