Cyber Resilience

CVE-2024-8185

High

Published: 31 October 2024

Published
31 October 2024
Modified
13 November 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0065 71.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8185 is a high-severity Failing Open (CWE-636) vulnerability in Hashicorp Vault. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 28.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint . An attacker may send a large volume of requests to…

more

the endpoint which may cause Vault to consume excessive system memory resources, potentially leading to a crash of the underlying system and the Vault process itself. This vulnerability, CVE-2024-8185, is fixed in Vault Community 1.18.1 and Vault Enterprise 1.18.1, 1.17.8, and 1.16.12.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

hashicorp
vault
1.18.0 · 1.2.0 — 1.16.12 · 1.2.0 — 1.18.1 · 1.17.0 — 1.17.8
openbao
openbao
≤ 2.0.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-636

Ensures audit logging continues on primary failure instead of failing open with no logging capability.

addresses: CWE-636

Supports failing securely by requiring alerts and configurable actions (e.g., shutdown) when the audit mechanism fails instead of continuing without it.

addresses: CWE-636

Entering safe mode when conditions are detected prevents failing open and continuing normal operation in a potentially exploitable state.

addresses: CWE-636

Ensures security functions remain enforced via alternatives instead of defaulting to an insecure state when the primary means fails.

addresses: CWE-636

Fail-safe-defaults principle prevents systems from failing open.

addresses: CWE-636

Directly requires transition to a known (secure) state on failure, preventing fail-open behavior.

addresses: CWE-636

Standby components and explicit exchange criteria enforce a controlled, secure failover instead of failing open.

addresses: CWE-636

Directly implements fail-safe (fail-closed/secure) behavior on indicated failures, preventing the system from defaulting to an insecure open state.

References