CVE-2025-4656: 
HashiCorp Vault vulnerability analysis and mitigation

Vault Community and Vault Enterprise rekey and recovery key operations contain a vulnerability (CVE-2025-4656) that can lead to a denial of service due to uncontrolled cancellation by a Vault operator. The vulnerability affects Vault Community Edition from 1.14.8 up to 1.19.5 and Vault Enterprise from 1.14.8 up to 1.19.5, 1.18.10, 1.17.16, 1.16.21. This issue has been discovered and disclosed on June 25, 2025 (HashiCorp Discussion).

The vulnerability stems from unauthenticated endpoints that use recovery or seal key fragment challenge/response instead of API authentication. The rekey operation, which allows operators to rekey Vault's unseal keys, cannot be run concurrently and uses a nonce to track operation progress. When using a seal that supports stored keys such as PKCS #11, operators provide the number of shares and threshold required to unseal the root key. The vulnerability has been assigned a CVSS v3.1 base score of 3.1 (LOW) with vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L and is categorized under CWE-1088 (Synchronous Access of Remote Resource without Timeout) (NVD Database).

A malicious actor can exploit this vulnerability to perform a denial of service attack by canceling ongoing rekey operations and resetting the number of shares needed. This attack can deny Vault access to clients until the operator initiates the rekey operation again. When the cancellation request is overloaded, the system emits a single warn-level log event (HashiCorp Discussion).

Organizations should evaluate their risk exposure and upgrade to the patched versions: Vault Community Edition 1.20.0, or Vault Enterprise 1.20.0, 1.19.6, 1.18.11, 1.17.17, or 1.16.22. These versions contain the necessary fixes to prevent the denial of service vulnerability (HashiCorp Discussion).

The vulnerability was identified and reported by Alex Scheel from GitLab, demonstrating ongoing security research and responsible disclosure practices in the industry (HashiCorp Discussion).