CVE-2025-4656: Vault Community Edition rekey and recovery key operations can cause denial of service

The vulnerability lies in the uncontrolled cancellation of rekey and recovery key operations in HashiCorp Vault. The analysis of the provided patches, specifically commit 851984b567127bc5cd2dbc46e70a494eb40e7953, reveals the root cause. The DELETE /v1/sys/rekey/init and DELETE /v1/sys/rekey-recovery-key/init endpoints, handled by the http.handleSysRekeyInitDelete function, allowed cancellation of an ongoing rekey process without any authentication. This handler called the vault.Core.RekeyCancel function, which, prior to the patch, did not require any token or nonce to proceed with the cancellation.

An attacker could exploit this by repeatedly sending unauthenticated DELETE requests to these endpoints, effectively preventing any rekey operation from completing, thus causing a denial of service. The fix introduces a nonce-based mechanism. When a rekey is initiated, a unique nonce is generated. This nonce must be provided to cancel the operation within a 10-minute window, preventing an unauthorized user from disrupting the process. The identified vulnerable functions, http.handleSysRekeyInitDelete (the network entry point) and vault.Core.RekeyCancel (the core logic), would both appear in a runtime profile during the exploitation of this vulnerability.