CVE-2025-4656

Vault Community and Vault Enterprise rekey and recovery key operations can lead to a denial of service due to uncontrolled cancellation by a Vault operator. This vulnerability (CVE-2025-4656) has been remediated in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11, 1.17.17, and 1.16.22.

CVSS v3 3.1 LOW

3.1^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://discuss.hashicorp.com/t/hcsec-2025-11-vault-vulnerable-to-recovery-key-cancellation-denial-of-service/75570

Configurations

No configuration.

History

26 Jun 2025, 18:57

Type	Values Removed	Values Added
Summary		(es) Las operaciones de regeneración y recuperación de claves en Vault Community y Vault Enterprise pueden provocar una denegación de servicio debido a una cancelación incontrolada por parte del operador de Vault. Esta vulnerabilidad (CVE-2025-4656) se ha corregido en Vault Community Edition 1.20.0 y Vault Enterprise 1.20.0, 1.19.6, 1.18.11, 1.17.17 y 1.16.22.

25 Jun 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-25 17:15

Updated : 2025-06-26 18:57

NVD link : CVE-2025-4656

Mitre link : CVE-2025-4656

CVE.ORG link : CVE-2025-4656

JSON object : View

Products Affected

No product.

CWE

CWE-1088

Synchronous Access of Remote Resource without Timeout

3.1 /10