CVE-2024-8185 Overview
CVE-2024-8185 affects HashiCorp Vault Community and Vault Enterprise clusters that use the Integrated Storage (Raft) backend. The vulnerability allows an unauthenticated remote attacker to trigger a denial-of-service (DoS) condition through memory exhaustion against the Raft cluster join API endpoint. Sending a large volume of requests to this endpoint causes Vault to consume excessive system memory, potentially crashing both the Vault process and the underlying host. HashiCorp resolved the issue in Vault Community 1.18.1 and Vault Enterprise 1.18.1, 1.17.8, and 1.16.12. The flaw is classified under CWE-636 (Not Failing Securely).
Critical Impact
Unauthenticated network attackers can crash Vault clusters by flooding the Raft cluster join endpoint, disrupting secret management and downstream applications that depend on Vault.
Affected Products
- HashiCorp Vault Community prior to 1.18.1
- HashiCorp Vault Enterprise prior to 1.18.1, 1.17.8, and 1.16.12
- OpenBao (impacted by the same upstream Raft join handling)
Discovery Timeline
- 2024-10-31 - CVE-2024-8185 published to NVD
- 2025-11-13 - Last updated in NVD database
Technical Details for CVE-2024-8185
Vulnerability Analysis
Vault's Integrated Storage backend uses the Raft consensus protocol to replicate state across cluster nodes. New nodes join the cluster by issuing requests to the Raft cluster join API endpoint. The endpoint accepts and processes incoming join requests without sufficient resource controls, allocating memory per request before validating or rate-limiting the workload.
An attacker who can reach the Vault API over the network can send a sustained volume of join requests. Each request causes the Vault process to allocate memory structures associated with cluster join handling. Because these allocations are not bounded, sustained requests grow Vault's resident memory until the operating system kills the process or the host runs out of memory.
The impact is limited to availability. Confidentiality and integrity of stored secrets are not affected, but a Vault outage cascades to any service that depends on Vault for credentials, certificates, or encryption operations.
Root Cause
The root cause is improper resource management on the Raft cluster join code path. The endpoint does not enforce backpressure, request quotas, or memory bounds before processing join attempts. Combined with the lack of authentication enforcement at the network layer, the endpoint can be abused by any actor with reachability to the Vault listener.
Attack Vector
Exploitation requires only network access to the Vault API endpoint. No authentication or user interaction is required. An attacker submits many concurrent or rapid join requests to the Raft cluster join API path, observing Vault's memory footprint grow until the process crashes. Operators typically detect the issue through out-of-memory (OOM) events on the host or sudden cluster leadership failures.
No public proof-of-concept code is associated with this CVE. See the HashiCorp Security Advisory HCSEC-2024-26 for vendor technical details.
Detection Methods for CVE-2024-8185
Indicators of Compromise
- Rapid growth in Vault process resident memory (RSS) without a corresponding increase in legitimate request volume.
- Linux OOM killer events terminating the vault process, visible in dmesg or /var/log/messages.
- Spikes in HTTP requests to the Raft cluster join API endpoint from unexpected source IPs.
- Unexpected Raft leadership elections or cluster instability events in Vault audit logs.
Detection Strategies
- Monitor Vault telemetry metrics, particularly vault.runtime.alloc_bytes and vault.runtime.sys_bytes, for abnormal allocation patterns.
- Inspect access logs at the load balancer or reverse proxy in front of Vault for repeated requests to Raft join paths from non-cluster sources.
- Correlate host-level memory pressure alerts with Vault API request rates to identify exhaustion attempts in progress.
Monitoring Recommendations
- Alert on Vault process memory exceeding a baseline threshold (for example, 80% of allocated container or host memory).
- Log and review all requests to cluster management API paths, restricting them to known peer IP ranges.
- Track Raft cluster health metrics (vault.raft.leader.lastContact, vault.raft.peers) for instability that could indicate an exhaustion attack.
How to Mitigate CVE-2024-8185
Immediate Actions Required
- Upgrade Vault Community to 1.18.1 or later.
- Upgrade Vault Enterprise to 1.18.1, 1.17.8, or 1.16.12 depending on the deployed release line.
- Restrict network access to the Vault API and cluster ports so only trusted operators and peer nodes can reach them.
- Review host and container memory limits to ensure Vault failure does not destabilize co-located services.
Patch Information
HashiCorp fixed CVE-2024-8185 in Vault Community 1.18.1 and Vault Enterprise 1.18.1, 1.17.8, and 1.16.12. Refer to HashiCorp Security Advisory HCSEC-2024-26 for the official advisory and upgrade guidance. OpenBao users should track upstream releases that incorporate the equivalent fix.
Workarounds
- Place Vault behind a network policy or firewall that limits cluster-management API access to known peer node IP addresses.
- Configure rate limits at an upstream reverse proxy or API gateway to throttle requests to Raft cluster join paths.
- Run Vault under a process supervisor with strict memory cgroup limits so an exhausted instance restarts cleanly rather than destabilizing the host.
# Example: restrict Vault cluster port (8201) to known peers using nftables
nft add table inet vault_filter
nft add chain inet vault_filter input { type filter hook input priority 0 \; policy drop \; }
nft add rule inet vault_filter input ip saddr { 10.0.1.10, 10.0.1.11, 10.0.1.12 } tcp dport 8201 accept
nft add rule inet vault_filter input tcp dport 8201 drop
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
