CVE-2025-4656: Vault Community Edition rekey and recovery key operations can cause denial of service

June 26, 2025 (updated June 27, 2025)

Vault Community and Vault Enterprise rekey and recovery key operations can lead to a denial of service due to uncontrolled cancellation by a Vault operator. This vulnerability (CVE-2025-4656) has been remediated in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11, 1.17.17, and 1.16.22.

References

discuss.hashicorp.com/t/hcsec-2025-11-vault-vulnerable-to-recovery-key-cancellation-denial-of-service/75570
github.com/advisories/GHSA-fhc2-8qx8-6vj7
github.com/hashicorp/vault
github.com/hashicorp/vault/pull/30794
nvd.nist.gov/vuln/detail/CVE-2025-4656

Code Behaviors & Features

Detect and mitigate CVE-2025-4656 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →