Skip to main content
CVE Vulnerability Database

CVE-2024-6468: HashiCorp Vault DOS Vulnerability

CVE-2024-6468 is a denial of service vulnerability in HashiCorp Vault that causes API server shutdown when unauthorized IPs send requests. This post covers technical details, affected versions, and mitigation steps.

Published:

CVE-2024-6468 Overview

CVE-2024-6468 is a denial of service vulnerability in HashiCorp Vault and Vault Enterprise. The flaw stems from improper handling of requests originating from unauthorized IP addresses when the TCP listener option proxy_protocol_behavior is set to deny_unauthorized. When the Vault API server receives a request from a source IP address not listed in proxy_protocol_authorized_addrs, the server shuts down and stops responding to HTTP requests. This vulnerability affects deployments that explicitly configure PROXY protocol behavior on Vault listeners and impacts secrets management availability across dependent applications. HashiCorp addressed the issue in Vault and Vault Enterprise versions 1.17.2, 1.16.6, and 1.15.12.

Critical Impact

A single request from an unauthorized source IP can crash the Vault API server, disrupting secret retrieval, authentication, and dynamic credential issuance for all downstream applications.

Affected Products

  • HashiCorp Vault versions prior to 1.17.2
  • HashiCorp Vault Enterprise versions prior to 1.16.6
  • HashiCorp Vault and Vault Enterprise 1.15.x prior to 1.15.12

Discovery Timeline

  • 2024-07-11 - CVE-2024-6468 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-6468

Vulnerability Analysis

The vulnerability is classified under [CWE-703] (Improper Check or Handling of Exceptional Conditions). HashiCorp Vault supports the PROXY protocol on its TCP listeners to preserve client IP information when traffic is routed through load balancers. Operators can configure proxy_protocol_behavior with the value deny_unauthorized to reject connections from sources not listed in proxy_protocol_authorized_addrs. When an unauthorized source IP sends a request, the listener fails to handle the rejection cleanly. Instead of dropping the connection and continuing operation, the Vault API server terminates and stops accepting any further HTTP requests. The result is a full service outage for the affected Vault node until an operator restarts the process.

Root Cause

The root cause is improper exception handling in the listener code path that processes denied PROXY protocol connections. When a connection from an unauthorized address triggers the deny condition, the resulting error propagates beyond the request handler and terminates the API server goroutine. Notably, a separate regression in Vault releases up to 1.17.1 and 1.16.5 prevented operators from configuring the deny_unauthorized option at all, masking the vulnerability in those versions. Once the configuration regression was resolved, the underlying denial of service condition became reachable.

Attack Vector

An unauthenticated remote attacker can trigger the vulnerability by sending a TCP connection to a Vault listener configured with proxy_protocol_behavior = "deny_unauthorized" from any source IP not present in proxy_protocol_authorized_addrs. No credentials, user interaction, or specialized payload are required. The attack does not compromise confidentiality or integrity but eliminates availability of the Vault API. See the HashiCorp Security Advisory HCSEC-2024-14 for vendor details.

Detection Methods for CVE-2024-6468

Indicators of Compromise

  • Unexpected termination of the Vault API server process with no preceding administrative action
  • HTTP request failures and connection timeouts from clients to Vault listener endpoints
  • Vault audit and operational logs showing PROXY protocol rejection events immediately before service crash
  • Connection attempts to Vault listener ports from source IPs outside the configured proxy_protocol_authorized_addrs list

Detection Strategies

  • Monitor Vault process uptime and trigger alerts on unplanned restarts or exits
  • Correlate listener-level connection rejection log entries with subsequent API unavailability
  • Inspect upstream load balancer logs for failed health checks against Vault backends
  • Track 5xx error rates and connection refused responses from Vault clients

Monitoring Recommendations

  • Enable Vault telemetry metrics, focusing on vault.core.unsealed and listener connection counters
  • Forward Vault operational logs and audit logs to a centralized SIEM for correlation
  • Set alerts on network traffic to Vault listener ports from non-allowlisted source IP ranges
  • Implement synthetic health checks that exercise the Vault API and alert on response failures

How to Mitigate CVE-2024-6468

Immediate Actions Required

  • Upgrade Vault and Vault Enterprise to version 1.17.2, 1.16.6, or 1.15.12 or later
  • Audit all listener configurations for the proxy_protocol_behavior setting and identify nodes using deny_unauthorized
  • Restrict network access to Vault listener ports using firewall rules or security groups, allowing only known load balancer source IPs
  • Verify that proxy_protocol_authorized_addrs accurately reflects all legitimate upstream proxy sources

Patch Information

HashiCorp fixed the vulnerability in Vault and Vault Enterprise releases 1.17.2, 1.16.6, and 1.15.12. Patched binaries are available from HashiCorp release channels. Refer to the HashiCorp Security Advisory HCSEC-2024-14 for complete release notes and upgrade guidance.

Workarounds

  • Change proxy_protocol_behavior from deny_unauthorized to use_always or allow_authorized until patching is complete
  • Place Vault behind a load balancer or firewall that enforces source IP allowlisting at the network layer
  • Remove the PROXY protocol configuration from listeners that do not require client IP preservation

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.