CVE-2025-11375 HashiCorp Consul - Event API DoS Fixed

Consul's event API trusts whatever Content-Length you send—meaning authenticated attackers can claim a 1GB payload, force the server to allocate unbounded memory, and crash the entire service mesh. What's nasty: RCE Security found that the /v1/event/fire endpoint reads request bodies into memory without any size validation. The handler just uses io.Copy(&buf, req.Body) and trusts the client-supplied Content-Length header completely. An attacker with valid API credentials can send arbitrarily large payloads and exhaust memory until Consul crashes. This affects Consul Community and Enterprise versions up to 1.21.5 (plus 1.20.7, 1.19.9, 1.18.11 for Enterprise). HashiCorp patched it October 27, 2025 in version 1.22.0 and backports (1.21.6, 1.20.8, 1.18.12). What's concerning: service registry or mesh instability cascades into application downtime—if Consul crashes, health checks fail, service discovery breaks, and dependent microservices lose routing. The attack complexity is low (just an authenticated API call with a massive Content-Length), so cloud-native deployments with exposed management APIs or shared credentials face elevated risk. Classic control plane DoS vector that highlights the need for strict input limits and zero-trust access to service fabric APIs.