Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

HashiCorp — Vulnerabilities & Security Advisories 89

Browse all 89 CVE security advisories affecting HashiCorp. AI-powered Chinese analysis, POCs, and references for each vulnerability.

HashiCorp develops infrastructure automation software, primarily known for Terraform, Vault, and Consul, which enable organizations to provision and secure cloud infrastructure. The company’s products have historically been associated with various vulnerability classes, including remote code execution, cross-site scripting, and privilege escalation, often stemming from complex integration points or misconfigurations in how these tools interact with underlying systems. With 89 CVEs currently on record, the security landscape for HashiCorp tools reflects the inherent risks of widely adopted, high-privilege infrastructure management software. While no single catastrophic incident has defined the brand’s history, the volume of disclosed flaws highlights the challenges of maintaining security across a diverse ecosystem of plugins and integrations. Users must rigorously patch these tools to mitigate risks associated with unauthorized access or data exfiltration, ensuring that the powerful automation capabilities do not become vectors for systemic compromise.

Top products by HashiCorp: Vault Nomad Consul Shared library Boundary Vault Enterprise Tooling Terraform Enterprise Nomad Enterprise Vagrant go-getter Terraform
CVE IDTitleCVSSSeverityPublished
CVE-2025-1293 HashiCorp Hermes Improperly Validates AWS ALB JWTs, which May Lead to Authentication Bypass — ToolingCWE-1390 8.2 High2025-02-20
CVE-2025-0937 Nomad Vulnerable To Event Stream Namespace ACL Policy Bypass Through Wildcard Namespace — NomadCWE-863 7.1 High2025-02-12
CVE-2025-0377 HashiCorp go-slug Vulnerable to Zip Slip Attack — Shared libraryCWE-59 7.5 High2025-01-21
CVE-2024-12678 Nomad Allocations Vulnerable To Privilege Escalation Within A Namespace Using Unredacted Workload Identity Tokens — NomadCWE-266 6.5 Medium2024-12-20
CVE-2024-12289 Boundary Controller Incorrectly Handles HTTP Requests On Initialization Which May Lead to a Denial of Service — BoundaryCWE-460 5.9 Medium2024-12-12
CVE-2024-10975 Nomad Vulnerable To Cross-Namespace Volume Creation Abusing CSI Write Permission — NomadCWE-863 7.7 High2024-11-07
CVE-2024-8185 Vault Vulnerable to Denial of Service When Processing Raft Join Requests — VaultCWE-636 7.5 High2024-10-31
CVE-2024-10086 Consul Vulnerable To Reflected XSS On Content-Type Error Manipulation — ConsulCWE-79 6.1 Medium2024-10-30
CVE-2024-10006 Consul L7 Intentions Vulnerable To Headers Bypass — ConsulCWE-644 8.3 High2024-10-30
CVE-2024-10005 Consul L7 Intentions Vulnerable To URL Path Bypass — ConsulCWE-22 8.1 High2024-10-30
CVE-2024-10228 Vagrant VMWare Utility installation files vulnerable to modification by unprivileged user — VagrantCWE-732 3.8 Low2024-10-29
CVE-2024-9180 Vault Operators in Root Namespace May Elevate Their Privileges — VaultCWE-266 7.2 High2024-10-10
CVE-2024-7594 Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default — VaultCWE-732 7.5 High2024-09-26
CVE-2024-8365 Vault Leaks AppRole Client Tokens And Accessor in Audit Log — VaultCWE-532 6.2 Medium2024-09-02
CVE-2024-7625 Nomad Vulnerable to Allocation Directory Escape On Non-Existing File Paths Through Archive Unpacking — NomadCWE-610 5.8 Medium2024-08-14
CVE-2024-6717 Nomad Vulnerable to Allocation Directory Path Escape Through Archive Unpacking — NomadCWE-610 7.7 High2024-07-23
CVE-2024-6468 Vault Vulnerable to Denial of Service When Setting a Proxy Protocol Behavior — VaultCWE-703 7.5 High2024-07-11
CVE-2024-6257 HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation — Shared libraryCWE-77 8.4 High2024-06-25
CVE-2024-6104 go-retryablehttp can leak basic auth credentials to log files — Shared libraryCWE-532 6.0 Medium2024-06-24
CVE-2024-5798 Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims — VaultCWE-287 2.6 Low2024-06-12
CVE-2024-2877 Vault Enterprise Leaks Sensitive HTTP Request Headers in the Audit Log When Deployed With a Performance Standby Node — Vault EnterpriseCWE-532 5.5 Medium2024-04-30
CVE-2024-3817 HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches — Shared libraryCWE-88 9.8 Critical2024-04-17
CVE-2024-2660 Vault TLS Cert Auth Method Did Not Correctly Validate OCSP Responses — VaultCWE-636 6.4 Medium2024-04-04
CVE-2024-2048 Vault Cert Auth Method Did Not Correctly Validate Non-CA Certificates — VaultCWE-295 8.1 High2024-03-04
CVE-2024-1329 Nomad Vulnerable to Arbitrary Write Through Symlink Attack — NomadCWE-59 7.7 High2024-02-08
CVE-2024-1052 Boundary Vulnerable to Session Hijacking Through TLS Certificate Tampering — BoundaryCWE-295 8.0 High2024-02-05
CVE-2024-0831 Vault May Expose Sensitive Information When Configuring An Audit Log Device — VaultCWE-532 4.5 Medium2024-02-01
CVE-2023-6337 Vault May be Vulnerable to a Denial of Service Through Memory Exhaustion When Handling Large HTTP Requests — VaultCWE-770 7.5 High2023-12-08
CVE-2023-5954 Vault Requests Triggering Policy Checks May Lead To Unbounded Memory Consumption — VaultCWE-401 5.9 Medium2023-11-09
CVE-2023-5834 Vagrant’s Windows Installer Allowed Directory Junction Write — VagrantCWE-1386 3.8 Low2023-10-27

This page lists every published CVE security advisory associated with HashiCorp. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.