CVE-2025-11375: 
Consul vulnerability analysis and mitigation

Consul and Consul Enterprise's event endpoint has been identified with a vulnerability (CVE-2025-11375) that affects versions up to Consul Community Edition 1.21.5 and Consul Enterprise versions 1.21.5, 1.20.7, 1.19.9, and 1.18.11. The vulnerability was discovered and disclosed on October 28, 2025, affecting the event endpoint functionality which allows customers to trigger user events across entire datacenters using Consul's gossip protocol (HashiCorp Discuss).

The vulnerability stems from the lack of maximum value limitation on the Content Length header in Consul's event endpoint. The endpoint does not impose an upper limit on the Content-Length header of incoming HTTP requests, allowing attackers to send arbitrarily large payloads that get copied into the buffer (HashiCorp Discuss).

The vulnerability can lead to denial of service (DoS) or system instability through memory exhaustion. When exploited, attackers can send large payloads that consume system resources, potentially affecting the availability of the service (HashiCorp Discuss).

The vulnerability has been fixed in Consul Community Edition 1.22.0 and Consul Enterprise versions 1.22.0, 1.21.6, 1.20.8, and 1.18.12. Organizations are strongly recommended to upgrade to these patched versions. Note that Consul Enterprise 1.19 is no longer part of the Long-Term Support (LTS) versions and won't receive a fix (HashiCorp Discuss).

The vulnerability was identified and reported by Julien Ahrens from RCE Security, demonstrating the active involvement of the security research community in identifying and responsibly disclosing Consul vulnerabilities (HashiCorp Discuss).