6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-11374

GHSA ID

GHSA-7g3r-8c6v-hfmr

EPSS Score

0.01475%

CWE

CWE-770

Published

10/28/2025

Updated

10/29/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-11374

CVE-2025-11374: Consul key/value endpoint is vulnerable to denial of service

Consul and Consul Enterprise’s (“Consul”) key/value endpoint is vulnerable to denial of service (DoS) due to incorrect Content Length header validation. This vulnerability, CVE-2025-11374, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-11374

GHSA ID

GHSA-7g3r-8c6v-hfmr

EPSS Score

0.01475%

CWE

CWE-770

Published

10/28/2025

Updated

10/29/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/hashicorp/consul	go	< 1.22.0	1.22.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a denial-of-service (DoS) in the Consul KV endpoint caused by improper validation of the Content-Length header in PUT requests. The analysis of the patch commit 72a358cd02533477536ad4bd2b781f520fa7fac6 reveals that the agent.HTTPHandlers.KVSPut function in agent/kvs_endpoint.go was modified to address this. The original code only checked if a provided Content-Length exceeded the maximum allowed value. It did not handle cases where the Content-Length header was missing or zero, which led to an unbounded read of the request body via io.Copy. This could be exploited to cause memory exhaustion. The fix introduces a switch statement to handle various scenarios, including using http.MaxBytesReader to enforce a size limit on the request body when the Content-Length is not specified. Therefore, the agent.HTTPHandlers.KVSPut function is the identified vulnerable function that would appear in a runtime profile during exploitation.

Vulnerable functions

agent.HTTPHandlers.KVSPut

agent/kvs_endpoint.go

The `KVSPut` function was vulnerable to a denial-of-service attack. Before the patch, if a PUT request was sent to the KV endpoint without a `Content-Length` header, the function would attempt to read the entire request body into memory using `io.Copy`. An attacker could exploit this by sending a request with a very large body, causing the server to exhaust its memory and crash. The patch introduces proper validation by using `http.MaxBytesReader` to limit the size of the request body read when the `Content-Length` is not provided.

WAF Protection Rules

WAF Rule

*onsul *n* *onsul *nt*rpris*’s (“*onsul”) k*y/v*lu* *n*point is vuln*r**l* to **ni*l o* s*rvi** (*oS) *u* to in*orr**t *ont*nt L*n*t* *****r v*li**tion. T*is vuln*r**ility, *V*-****-*****, is *ix** in *onsul *ommunity **ition *.**.* *n* *onsul *nt*rp

Reasoning

T** vuln*r**ility is * **ni*l-o*-s*rvi** (*oS) in t** *onsul KV *n*point **us** *y improp*r v*li**tion o* t** `*ont*nt-L*n*t*` *****r in PUT r*qu*sts. T** *n*lysis o* t** p*t** *ommit `****************************************` r*v**ls t**t t** `***nt

6.5

Basic Information

Concerned about an active attack path?

CVE-2025-11374: Consul key/value endpoint is vulnerable to denial of service

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI