{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-08T23:27:55.397","vulnerabilities":[{"cve":{"id":"CVE-2025-12044","sourceIdentifier":"security@hashicorp.com","published":"2025-10-23T20:15:37.607","lastModified":"2025-12-23T20:26:03.503","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Vault and Vault Enterprise (“Vault”) are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for [+HCSEC-2025-24+|https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393]  which allowed for processing JSON payloads before applying rate limits. This vulnerability, CVE-2025-12044, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.16.27, 1.19.11, 1.20.5, and 1.21.0."}],"metrics":{"cvssMetricV31":[{"source":"security@hashicorp.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security@hashicorp.com","type":"Secondary","description":[{"lang":"en","value":"CWE-770"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*","versionStartIncluding":"1.16.25","versionEndExcluding":"1.16.27","matchCriteriaId":"A80F6E6B-73F4-4613-B524-E74ABD893175"},{"vulnerable":true,"criteria":"cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*","versionStartIncluding":"1.18.14","versionEndIncluding":"1.18.15","matchCriteriaId":"5E92B1F3-EE4C-4F21-9E0D-3A36CF7D5FA4"},{"vulnerable":true,"criteria":"cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*","versionStartIncluding":"1.19.9","versionEndIncluding":"1.19.11","matchCriteriaId":"CD76B351-286F-4F2F-8F67-B09DE58089DF"},{"vulnerable":true,"criteria":"cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*","versionStartIncluding":"1.20.3","versionEndExcluding":"1.20.5","matchCriteriaId":"564C8B93-D4B4-40A2-B240-AFE8A02B743F"},{"vulnerable":true,"criteria":"cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*","versionStartIncluding":"1.20.3","versionEndExcluding":"1.21.0","matchCriteriaId":"199D575A-2712-4522-8E00-B46120F572E6"}]}]}],"references":[{"url":"https://discuss.hashicorp.com/t/hcsec-2025-31-vault-vulnerable-to-denial-of-service-due-to-rate-limit-regression/76710","source":"security@hashicorp.com","tags":["Vendor Advisory"]}]}}]}