Vault DoS via Uncontrolled Cancellation in Rekey Ops Before 1.20.0
CVE-2025-4656 Published on June 25, 2025
Vault Vulnerable to Recovery Key Cancellation Denial of Service
Vault Community and Vault Enterprise rekey and recovery key operations can lead to a denial of service due to uncontrolled cancellation by a Vault operator. This vulnerability (CVE-2025-4656) has been remediated in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11, 1.17.17, and 1.16.22.
Weakness Type
Synchronous Access of Remote Resource without Timeout
The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite.
Products Associated with CVE-2025-4656
Want to know whenever a new CVE is published for HashiCorp Vault? stack.watch will email you.
Affected Versions
HashiCorp Vault:- Version 1.14.8 and below 1.20.0 is affected.
- Version 1.14.8 and below 1.20.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.