{"id":"GHSA-g233-2p4r-3q7v","summary":"Hashicorp Vault vulnerable to denial of service through memory exhaustion","details":"Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint. An attacker may send a large volume of requests to the endpoint which may cause Vault to consume excessive system memory resources, potentially leading to a crash of the underlying system and the Vault process itself.\n\nThis vulnerability, CVE-2024-8185, is fixed in Vault Community 1.18.1 and Vault Enterprise 1.18.1, 1.17.8, and 1.16.12.","aliases":["BIT-vault-2024-8185","CVE-2024-8185","GO-2024-3246"],"modified":"2026-02-04T02:22:50.140061Z","published":"2024-10-31T18:31:19Z","related":["CGA-m64p-2x95-p5jf"],"database_specific":{"nvd_published_at":"2024-10-31T16:15:06Z","severity":"HIGH","github_reviewed":true,"github_reviewed_at":"2024-10-31T20:46:33Z","cwe_ids":["CWE-636"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8185"},{"type":"WEB","url":"https://github.com/hashicorp/vault/commit/195dfca433028887973f5bd82d173d91fe9dab4a"},{"type":"WEB","url":"https://discuss.hashicorp.com/t/hcsec-2024-26-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-processing-raft-cluster-join-requests/71047"},{"type":"PACKAGE","url":"https://github.com/hashicorp/vault"},{"type":"WEB","url":"https://openbao.org/docs/release-notes/2-0-0/#203"}],"affected":[{"package":{"name":"github.com/hashicorp/vault","ecosystem":"Go","purl":"pkg:golang/github.com/hashicorp/vault"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.2.0"},{"fixed":"1.18.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-g233-2p4r-3q7v/GHSA-g233-2p4r-3q7v.json"}},{"package":{"name":"github.com/openbao/openbao","ecosystem":"Go","purl":"pkg:golang/github.com/openbao/openbao"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.0.3"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-g233-2p4r-3q7v/GHSA-g233-2p4r-3q7v.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}