CVE-2025-11375 is a resource exhaustion vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) affecting HashiCorp Consul's event endpoint. The vulnerability stems from the event endpoint's failure to impose a maximum limit on the Content-Length HTTP header, which controls the size of incoming requests. An attacker with network access and low privileges can exploit this by sending a request with an excessively large Content-Length value. Because the server does not throttle or limit resource allocation for such requests, it can lead to excessive memory or CPU consumption, ultimately resulting in a denial of service (DoS) condition where legitimate requests cannot be processed. The vulnerability does not require user interaction and does not affect confidentiality or integrity, but it impacts availability. The CVSS v3.1 base score is 6.5 (medium severity), reflecting the network attack vector, low attack complexity, requirement for privileges, no user interaction, and impact limited to availability. HashiCorp has addressed this issue in Consul Community Edition 1.22.0 and multiple Enterprise versions (1.22.0, 1.21.6, 1.20.8, 1.18.12). Organizations running earlier versions are vulnerable to potential DoS attacks that could disrupt service discovery and infrastructure automation workflows dependent on Consul.

For European organizations, the primary impact of CVE-2025-11375 is the potential for denial of service attacks against critical infrastructure components that rely on HashiCorp Consul for service discovery, configuration, and orchestration. Disruption of Consul services can cascade to affect microservices communication, load balancing, and automated infrastructure management, leading to downtime or degraded performance of business-critical applications. This is particularly significant for sectors with high cloud and DevOps adoption such as finance, telecommunications, and public services. Additionally, organizations using Consul in multi-tenant or shared environments may face increased risk if attackers can exploit the vulnerability to impact multiple customers. While no data breach or integrity compromise is indicated, availability loss can result in operational delays, financial losses, and reputational damage. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure.

To mitigate CVE-2025-11375, European organizations should: 1) Immediately upgrade to the fixed versions of HashiCorp Consul Community Edition (1.22.0) or the corresponding Enterprise versions (1.22.0, 1.21.6, 1.20.8, 1.18.12). 2) Implement network-level protections such as rate limiting and request size restrictions on the event endpoint to prevent oversized requests from reaching Consul. 3) Monitor Consul logs and network traffic for anomalous large Content-Length headers or unusual request patterns indicative of exploitation attempts. 4) Employ Web Application Firewalls (WAFs) or API gateways capable of enforcing maximum request size limits and throttling. 5) Conduct regular vulnerability scanning and penetration testing focused on resource exhaustion vectors. 6) Isolate Consul instances within secure network segments and restrict access to trusted users and systems only, minimizing the attack surface. 7) Maintain an incident response plan that includes DoS scenarios affecting service discovery components. These steps go beyond generic patching by emphasizing proactive detection, network controls, and operational readiness.