6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-11375

GHSA ID

GHSA-qh7p-pfq3-677h

EPSS Score

0.01475%

CWE

CWE-770

Published

10/28/2025

Updated

10/29/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-11375

CVE-2025-11375: Consul event endpoint is vulnerable to denial of service

Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-11375

GHSA ID

GHSA-qh7p-pfq3-677h

EPSS Score

0.01475%

CWE

CWE-770

Published

10/28/2025

Updated

10/29/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/hashicorp/consul	go	< 1.22.0	1.22.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The security vulnerability, CVE-2025-11375, is a denial-of-service (DoS) weakness in Consul's event endpoint. The root cause is the lack of a maximum size limit on the Content-Length header for incoming requests. The analysis of the patch commit e794201d0c618333d81ad775270f7b32801178fb clearly shows the vulnerable code and the subsequent fix.

The modified file agent/event_endpoint.go contains the HTTP handler for the event endpoint. The function agent.HTTPHandlers.EventFire is where the vulnerability lies. Before the patch, the code would check if req.ContentLength > 0 and then proceed to copy the entire request body into a bytes.Buffer. This operation is unbounded and directly tied to the client-supplied Content-Length header. An attacker could exploit this by sending a request with an extremely large Content-Length value, forcing the Consul agent to allocate an excessive amount of memory, leading to a crash and a DoS.

The patch mitigates this by introducing a constant, maxEventPayloadSize, and adding a check to ensure the Content-Length does not exceed this value. If it does, the request is rejected with an http.StatusRequestEntityTooLarge status, preventing the large memory allocation. Therefore, the agent.HTTPHandlers.EventFire function is the precise location of the vulnerability.

Vulnerable functions

agent.HTTPHandlers.EventFire

agent/event_endpoint.go

The `EventFire` function is responsible for handling the `/v1/event/fire` endpoint. The vulnerability exists because the function reads the request body into a buffer based on the `Content-Length` header without imposing a size limit. An attacker can send a request with a very large `Content-Length`, causing the application to attempt to allocate a large amount of memory, leading to a denial-of-service condition as the server's resources are exhausted.

WAF Protection Rules

WAF Rule

*onsul *n* *onsul *nt*rpris*’s (“*onsul”) *v*nt *n*point is vuln*r**l* to **ni*l o* s*rvi** (*oS) *u* to l**k o* m*ximum v*lu* on t** *ont*nt L*n*t* *****r. T*is vuln*r**ility, *V*-****-*****, is *ix** in *onsul *ommunity **ition *.**.* *n* *onsul *n

Reasoning

T** s**urity vuln*r**ility, *V*-****-*****, is * **ni*l-o*-s*rvi** (*oS) w**kn*ss in *onsul's *v*nt *n*point. T** root **us* is t** l**k o* * m*ximum siz* limit on t** `*ont*nt-L*n*t*` *****r *or in*omin* r*qu*sts. T** *n*lysis o* t** p*t** *ommit `*

6.5

Basic Information

Concerned about an active attack path?

CVE-2025-11375: Consul event endpoint is vulnerable to denial of service

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI