x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-qh7p-pfq3-677h #4082
Description
Advisory GHSA-qh7p-pfq3-677h references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/hashicorp/consul |
Description:
Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.
References:
- ADVISORY: GHSA-qh7p-pfq3-677h
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-11375
- FIX: hashicorp/consul@e794201
- FIX: fix: event endpoint content lenght limit hashicorp/consul#22836
- WEB: https://discuss.hashicorp.com/t/hcsec-2025-28-consuls-event-endpoint-is-vulnerable-to-denial-of-service/76723
- WEB: https://github.com/hashicorp/consul/releases/tag/v1.22.0
Cross references:
- github.com/hashicorp/consul appears in 29 other report(s):
- data/reports/GO-2022-0559.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-6hw5-6gcx-phmw #559)
- data/reports/GO-2022-0593.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-ccw8-7688-vqx4 #593)
- data/reports/GO-2022-0615.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-q6h7-4qgw-2j9p #615)
- data/reports/GO-2022-0776.yaml (x/vulndb: potential Go vuln in github.com/binance-chain/tss-lib/ecdsa/keygen: GHSA-23jv-v6qj-3fhh #776)
- data/reports/GO-2022-0847.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul/agent/structs: GHSA-hwqm-x785-qh8p #847)
- data/reports/GO-2022-0859.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul/agent: GHSA-p2j5-3f4c-224r #859)
- data/reports/GO-2022-0861.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul/agent/consul/discoverychain: GHSA-q2qr-3c2p-9235 #861)
- data/reports/GO-2022-0874.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-r9w6-rhh9-7v53 #874)
- data/reports/GO-2022-0879.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul/agent/config: GHSA-rqjq-mrgx-85hp #879)
- data/reports/GO-2022-0894.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-25gf-8qrr-g78r, CVE-2021-32574 #894)
- data/reports/GO-2022-0895.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul: CVE-2021-36213, GHSA-8h2g-r292-j8xh #895)
- data/reports/GO-2022-0953.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul: CVE-2022-24687, GHSA-hj93-5fg3-3chr #953)
- data/reports/GO-2022-1029.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-m69r-9g56-7mv8 #1029)
- data/reports/GO-2022-1121.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-gw2g-hhc9-wgjh #1121)
- data/reports/GO-2023-1639.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-wj6x-hcc2-f32j #1639)
- data/reports/GO-2023-1827.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-c57c-7hrj-6q6v #1827)
- data/reports/GO-2023-1828.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-rqjq-ww83-wv5c #1828)
- data/reports/GO-2023-1850.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-4qvx-qq5w-695p #1850)
- data/reports/GO-2023-1851.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-8xmx-h8rq-h94j #1851)
- data/reports/GO-2023-1852.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul/acl: GHSA-h65h-v7fw-4p38 #1852)
- data/reports/GO-2023-1853.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-q7fx-wm2p-qfj8 #1853)
- data/reports/GO-2023-1945.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-fhm8-cxcv-pwvc #1945)
- data/reports/GO-2024-2501.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-496g-fr33-whrf #2501)
- data/reports/GO-2024-2505.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-6m72-467w-94rh #2505)
- data/reports/GO-2024-2683.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-hr3v-8cp3-68rf #2683)
- data/reports/GO-2024-2704.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-9rhf-q362-77mx #2704)
- data/reports/GO-2024-3241.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-5c4w-8hhh-3c3h #3241)
- data/reports/GO-2024-3242.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-99wr-c2px-grmh #3242)
- data/reports/GO-2024-3243.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-chgm-7r52-whjj #3243)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/hashicorp/consul
versions:
- fixed: 1.22.0
vulnerable_at: 1.22.0-rc2
summary: Consul event endpoint is vulnerable to denial of service in github.com/hashicorp/consul
cves:
- CVE-2025-11375
ghsas:
- GHSA-qh7p-pfq3-677h
references:
- advisory: https://github.com/advisories/GHSA-qh7p-pfq3-677h
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-11375
- fix: https://github.com/hashicorp/consul/commit/e794201d0c618333d81ad775270f7b32801178fb
- fix: https://github.com/hashicorp/consul/pull/22836
- web: https://discuss.hashicorp.com/t/hcsec-2025-28-consuls-event-endpoint-is-vulnerable-to-denial-of-service/76723
- web: https://github.com/hashicorp/consul/releases/tag/v1.22.0
source:
id: GHSA-qh7p-pfq3-677h
created: 2025-10-29T16:01:17.388884573Z
review_status: UNREVIEWED