Summary
Vault Community and Vault Enterprise rekey and recovery key operations can lead to a denial of service due to uncontrolled cancellation by a Vault operator. This vulnerability (CVE-2025-4656) has been remediated in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11, 1.17.17, and 1.16.22.
Background
The rekey operation allows an operator to rekey Vault’s unseal keys. When using a seal that supports stored keys such as PKCS #11, an operator provides the number of shares and the threshold required to unseal the root key. In addition, this rekey operation cannot be run concurrently.
A nonce is provided to identify the rekey operation, which can track the progress of the rekey operation.
In order to modify the number of shares and threshold required, an operator must cancel the operation in progress and restart the request. This functionality extends to the recovery keys as well.
Details
Due to the nature of the request, these endpoints are unauthenticated, instead using recovery or seal key fragment challenge/response in lieu of API authentication. This can lead to a denial of service attack by which a malicious actor could cancel this operation and reset the number of shares needed.
This allows an attacker to cancel the operation and deny Vault access to clients until the operator initiates the rekey operation again.
Upon overloading the in-flight cancellation request, a single warn-level log event is emitted:
2025-05-13T12:22:48.575-0500 [WARN] core: shamir stored keys supported, forcing rekey shares/threshold to 1
Affected Products / Versions:
Vault Community Edition from 1.14.8 up to 1.19.5, fixed in 1.20.0.
Vault Enterprise from 1.14.8 up to 1.19.5, 1.18.10, 1.17.16, 1.16.21, fixed in 1.20.0, 1.19.6, 1.18.11, 1.17.17, 1.16.22
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading Vault Community Edition 1.20.0, or Vault Enterprise 1.20.0, 1.19.6, 1.18.11, 1.17.17, or 1.16.22.