CVE-2024-6468 Overview
CVE-2024-6468 is a denial of service vulnerability in HashiCorp Vault and Vault Enterprise. The flaw stems from improper handling of requests originating from unauthorized IP addresses when the TCP listener option proxy_protocol_behavior is set to deny_unauthorized. When the Vault API server receives a request from a source IP address not listed in proxy_protocol_authorized_addrs, the server shuts down and stops responding to HTTP requests. This vulnerability affects deployments that explicitly configure PROXY protocol behavior on Vault listeners and impacts secrets management availability across dependent applications. HashiCorp addressed the issue in Vault and Vault Enterprise versions 1.17.2, 1.16.6, and 1.15.12.
Critical Impact
A single request from an unauthorized source IP can crash the Vault API server, disrupting secret retrieval, authentication, and dynamic credential issuance for all downstream applications.
Affected Products
- HashiCorp Vault versions prior to 1.17.2
- HashiCorp Vault Enterprise versions prior to 1.16.6
- HashiCorp Vault and Vault Enterprise 1.15.x prior to 1.15.12
Discovery Timeline
- 2024-07-11 - CVE-2024-6468 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-6468
Vulnerability Analysis
The vulnerability is classified under [CWE-703] (Improper Check or Handling of Exceptional Conditions). HashiCorp Vault supports the PROXY protocol on its TCP listeners to preserve client IP information when traffic is routed through load balancers. Operators can configure proxy_protocol_behavior with the value deny_unauthorized to reject connections from sources not listed in proxy_protocol_authorized_addrs. When an unauthorized source IP sends a request, the listener fails to handle the rejection cleanly. Instead of dropping the connection and continuing operation, the Vault API server terminates and stops accepting any further HTTP requests. The result is a full service outage for the affected Vault node until an operator restarts the process.
Root Cause
The root cause is improper exception handling in the listener code path that processes denied PROXY protocol connections. When a connection from an unauthorized address triggers the deny condition, the resulting error propagates beyond the request handler and terminates the API server goroutine. Notably, a separate regression in Vault releases up to 1.17.1 and 1.16.5 prevented operators from configuring the deny_unauthorized option at all, masking the vulnerability in those versions. Once the configuration regression was resolved, the underlying denial of service condition became reachable.
Attack Vector
An unauthenticated remote attacker can trigger the vulnerability by sending a TCP connection to a Vault listener configured with proxy_protocol_behavior = "deny_unauthorized" from any source IP not present in proxy_protocol_authorized_addrs. No credentials, user interaction, or specialized payload are required. The attack does not compromise confidentiality or integrity but eliminates availability of the Vault API. See the HashiCorp Security Advisory HCSEC-2024-14 for vendor details.
Detection Methods for CVE-2024-6468
Indicators of Compromise
- Unexpected termination of the Vault API server process with no preceding administrative action
- HTTP request failures and connection timeouts from clients to Vault listener endpoints
- Vault audit and operational logs showing PROXY protocol rejection events immediately before service crash
- Connection attempts to Vault listener ports from source IPs outside the configured proxy_protocol_authorized_addrs list
Detection Strategies
- Monitor Vault process uptime and trigger alerts on unplanned restarts or exits
- Correlate listener-level connection rejection log entries with subsequent API unavailability
- Inspect upstream load balancer logs for failed health checks against Vault backends
- Track 5xx error rates and connection refused responses from Vault clients
Monitoring Recommendations
- Enable Vault telemetry metrics, focusing on vault.core.unsealed and listener connection counters
- Forward Vault operational logs and audit logs to a centralized SIEM for correlation
- Set alerts on network traffic to Vault listener ports from non-allowlisted source IP ranges
- Implement synthetic health checks that exercise the Vault API and alert on response failures
How to Mitigate CVE-2024-6468
Immediate Actions Required
- Upgrade Vault and Vault Enterprise to version 1.17.2, 1.16.6, or 1.15.12 or later
- Audit all listener configurations for the proxy_protocol_behavior setting and identify nodes using deny_unauthorized
- Restrict network access to Vault listener ports using firewall rules or security groups, allowing only known load balancer source IPs
- Verify that proxy_protocol_authorized_addrs accurately reflects all legitimate upstream proxy sources
Patch Information
HashiCorp fixed the vulnerability in Vault and Vault Enterprise releases 1.17.2, 1.16.6, and 1.15.12. Patched binaries are available from HashiCorp release channels. Refer to the HashiCorp Security Advisory HCSEC-2024-14 for complete release notes and upgrade guidance.
Workarounds
- Change proxy_protocol_behavior from deny_unauthorized to use_always or allow_authorized until patching is complete
- Place Vault behind a load balancer or firewall that enforces source IP allowlisting at the network layer
- Remove the PROXY protocol configuration from listeners that do not require client IP preservation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

