7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-12044

GHSA ID

GHSA-vp5w-xcfc-73wf

EPSS Score

CWE

CWE-770

Published

10/23/2025

Updated

10/23/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-12044

CVE-2025-12044: Hashicorp Vault and Vault Enterprise vulnerable to a denial of service when processing JSON

Vault and Vault Enterprise ("Vault") are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for [+HCSEC-2025-24+|https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393] which allowed for processing JSON payloads before applying rate limits. This vulnerability, CVE-2025-12044, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.16.27, 1.19.11, 1.20.5, and 1.21.0.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-12044

GHSA ID

GHSA-vp5w-xcfc-73wf

EPSS Score

CWE

CWE-770

Published

10/23/2025

Updated

10/23/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/hashicorp/vault	go	>= 1.20.3, < 1.21.0	1.21.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, CVE-2025-12044, is a denial of service in Hashicorp Vault caused by a regression in a security feature designed to prevent DoS from complex JSON payloads. The analysis of the provided patches reveals that the vulnerability was introduced in commit eedc2b7426f30e57e306229ce697ce81e203ab89 and fixed in b19e74c29a33ed2a99fc01626104db1a49345df3.

The root cause is the inefficient implementation of the VerifyMaxDepthStreaming function in the sdk/helper/jsonutil package. This function, intended to validate incoming JSON, used the standard json.Decoder, which performs poorly on certain crafted inputs (e.g., strings with many escape characters), leading to high CPU and memory usage and ultimately a denial of service. The vulnerability is that the security check itself is the attack vector.

The exploitation of this vulnerability would involve sending a specially crafted JSON payload to a Vault HTTP endpoint. The request would be processed by the wrapMaxRequestSizeHandler middleware, which in turn calls jsonLimitsValidation. This function then invokes the vulnerable VerifyMaxDepthStreaming function, triggering the excessive resource consumption.

The identified vulnerable functions are:

github.com/hashicorp/vault/http.wrapMaxRequestSizeHandler: The HTTP middleware that initiates the vulnerable validation process.
github.com/hashicorp/vault/http.jsonLimitsValidation: The helper function that reads the request body and calls the parser.
github.com/hashicorp/vault/sdk/helper/jsonutil.VerifyMaxDepthStreaming: The core function containing the flawed, resource-intensive JSON parsing logic.

A runtime profile during an exploit would show significant time spent in these functions, particularly VerifyMaxDepthStreaming.

Vulnerable functions

github.com/hashicorp/vault/sdk/helper/jsonutil.VerifyMaxDepthStreaming

sdk/helper/jsonutil/json.go

This function contains the core of the vulnerability. The version introduced in commit `eedc2b7426f30e57e306229ce697ce81e203ab89` used the standard `json.Decoder`, which can consume excessive resources when parsing crafted JSON payloads, particularly those with a large number of escape sequences in strings. This leads to a denial of service. The function was intended to be a security control but became a vulnerability vector itself. The fix in `b19e74c29a33ed2a99fc01626104db1a49345df3` replaces the inefficient decoder with a manual, more performant parser.

github.com/hashicorp/vault/http.jsonLimitsValidation

http/util.go

This function serves as the bridge between the HTTP request handling and the vulnerable JSON parsing logic. It reads the request body and passes it to `VerifyMaxDepthStreaming`. As the direct caller of the vulnerable function, it is an essential part of the execution path that leads to the denial of service.

github.com/hashicorp/vault/http.wrapMaxRequestSizeHandler

http/util.go

This HTTP middleware is the entry point for the vulnerability. It intercepts incoming HTTP requests to apply size and, with the flawed patch, JSON structure limits. By calling `jsonLimitsValidation`, it initiates the vulnerable parsing process. Any HTTP request that triggers this denial of service vulnerability will have `wrapMaxRequestSizeHandler` in its execution stack.

WAF Protection Rules

WAF Rule

V*ult *n* V*ult *nt*rpris* ("V*ult") *r* vuln*r**l* to *n un*ut**nti**t** **ni*l o* s*rvi** w**n pro**ssin* JSON p*ylo**s. T*is o**urs *u* to * r**r*ssion *rom * pr*vious *ix *or [+**S**-****-**+|*ttps://*is*uss.**s*i*orp.*om/t/**s**-****-**-v*ult-**

Reasoning

T** vuln*r**ility, *V*-****-*****, is * **ni*l o* s*rvi** in **s*i*orp V*ult **us** *y * r**r*ssion in * s**urity ***tur* **si*n** to pr*v*nt *oS *rom *ompl*x JSON p*ylo**s. T** *n*lysis o* t** provi*** p*t***s r*v**ls t**t t** vuln*r**ility w*s intr

7.5

Basic Information

Concerned about an active attack path?

CVE-2025-12044: Hashicorp Vault and Vault Enterprise vulnerable to a denial of service when processing JSON

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI