Base Score

LOW3.1

CVE-2025-4656

Vault Community and Vault Enterprise rekey and recovery key operations can lead to a denial of service due to uncontrolled cancellation by a Vault operator. This vulnerability (CVE-2025-4656) has been remediated in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11, 1.17.17, and 1.16.22.

VectorNETWORK

Published Bysecurity@hashicorp.com

Published DateJun 25, 2025, 17:15

Affected Versions(1)

github.com/hashicorp/vault(Go)

Introduced1.14.8

Fixed1.20.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
github.com/hashicorp/vault(Go)	1.14.8	1.20.0	N/A

Weakness Type (CWE):CWE-1088

CVSS Metrics

Base Score

3.1

Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

Base Severity

LOW

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

LOW

References

https://discuss.hashicorp.com/t/hcsec-2025-11-vault-vulnerable-to-recovery-key-cancellation-denial-of-service/75570

Base Score

LOW3.1

Weakness Type (CWE):CWE-1088

CVSS Metrics

Base Score

3.1

Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

Base Severity

LOW

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

LOW