Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint. An attacker may send a large volume of requests to the endpoint which may cause Vault to consume excessive system memory resources, potentially leading to a crash of the underlying system and the Vault process itself.

This vulnerability, CVE-2024-8185, is fixed in Vault Community 1.18.1 and Vault Enterprise 1.18.1, 1.17.8, and 1.16.12.

Affected Packages

Go github.com/hashicorp/vault

Affected versions: 1.2.0 (fixed in 1.18.1)

Related CVEs

CVE-2024-8185

Key Information

GHSA ID

GHSA-g233-2p4r-3q7v

Published

October 31, 2024 6:31 PM

Last Modified

October 31, 2024 8:46 PM

CVSS Score

7.5 /10

Primary Ecosystem

Primary Package

github.com/hashicorp/vault

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 6, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.