A high-severity denial-of-service vulnerability in Vault allows an authenticated malicious user to cause excessive resource consumption, leading to service unavailability.

An authenticated user can submit a specially crafted, complex payload that, while within size limits, forces the Vault application to consume excessive CPU and memory resources during processing. This leads to resource exhaustion and a denial-of-service (DoS) condition, making the Vault service unresponsive to legitimate requests.

This vulnerability is rated High with a CVSS score of 7.5. As Vault is a critical infrastructure component for secrets management, a DoS condition can have a cascading impact, preventing applications and services from starting up or accessing necessary credentials. This can lead to widespread outages across the organization's technology stack.

Immediate Action: Upgrade Vault to a patched version as specified in the official HashiCorp security advisory. The patch will likely include improved validation and resource limits for payload processing.

Proactive Monitoring: Monitor the CPU and memory utilization of Vault server processes for abnormal spikes. Correlate resource usage with API requests to identify potential exploitation attempts. Implement alerting for sustained high resource consumption.

Compensating Controls: Place a reverse proxy or API gateway in front of Vault to enforce stricter request size and complexity limits than the application's defaults. Implement rate limiting for API endpoints that are susceptible to this issue.

Public Exploit Available: false

The availability of the secrets management system is critical for modern infrastructure. This high-severity DoS vulnerability must be addressed promptly by upgrading Vault to prevent an authenticated attacker from causing a service-wide outage.