Listen to this Post
The CVE-2025-11374 vulnerability in HashiCorp Consul stems from improper validation of the `Content-Length` HTTP header for requests made to its key/value (KV) API endpoint. A malicious actor can exploit this flaw by sending a specially crafted HTTP request with a deliberately incorrect `Content-Length` header value. For instance, an attacker could send a POST request to the `/v1/kv/` endpoint where the declared `Content-Length` is significantly larger than the actual amount of data transmitted in the request body. This inconsistency causes the Consul server to enter a state where it waits indefinitely for the remaining data that will never arrive. This persistent waiting state consumes server resources, specifically worker threads or connections, leading to a denial of service as legitimate clients can no longer establish new connections or have their KV store requests processed, effectively exhausting the application’s capacity.
Platform: Consul/Consul Enterprise
Version: <1.22.0, <1.21.6
Vulnerability: Incorrect Content-Length
Severity: Moderate
date: 2025-10-28
Prediction: Patch 2025-11-11
What Undercode Say:
curl -X POST http://consul-server:8500/v1/kv/exploit -d "data" -H "Content-Length: 100000000"
req, _ := http.NewRequest("POST", "http://localhost:8500/v1/kv/test", bytes.NewBufferString("short"))
req.Header.Set("Content-Length", "1000000")
http.DefaultClient.Do(req)
How Exploit:
Craft malformed HTTP request.
Mismatch header with body.
Exhausts server connections.
Protection from this CVE
Upgrade to patched versions.
Implement network ACLs.
Use a WAF.
Impact:
Service unavailability.
Resource exhaustion.
API endpoint denial.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
