HashiCorp Vault and Vault Enterprise Unauthenticated Denial-of-Service Vulnerability via JSON Payloads

A denial-of-service vulnerability has been identified in HashiCorp Vault and Vault Enterprise. This issue arises from a regression in how the applications process JSON payloads, allowing for an unauthenticated denial-of-service condition. The vulnerability is present in Vault Community Edition versions 1.20.3 to 1.20.4 and in Vault Enterprise versions 1.20.3 to 1.20.4, 1.19.9 to 1.19.10, 1.18.14 to 1.18.15, and 1.16.25 to 1.16.26. The problem stems from a previous fix that inadvertently allowed JSON payloads to be processed without prior rate limiting, leading to resource exhaustion. This vulnerability is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.21.0, 1.19.11, and 1.16.27.

Impact

Exploitation of this vulnerability can cause service unavailability or crashes by consuming CPU and memory resources.

Remediation

Users are advised to upgrade to Vault Community Edition 1.21.0 or Vault Enterprise 1.21.0, 1.19.11, or 1.16.27.