Skip to content

chore(deps): update module github.com/hashicorp/consul to v1.22.0 [security] (release-3.5.x) #19642

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: release-3.5.x
Choose a base branch
from
Open

chore(deps): update module github.com/hashicorp/consul to v1.22.0 [security] (release-3.5.x) #19642

wants to merge 1 commit into from

Conversation

@renovate-sh-app
Copy link

@renovate-sh-app renovate-sh-app bot commented Oct 30, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/hashicorp/consul v1.20.5 -> v1.22.0 age confidence

Consul key/value endpoint is vulnerable to denial of service

CVE-2025-11374 / GHSA-7g3r-8c6v-hfmr

More information

Details

Consul and Consul Enterprise’s (“Consul”) key/value endpoint is vulnerable to denial of service (DoS) due to incorrect Content Length header validation. This vulnerability, CVE-2025-11374, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Consul event endpoint is vulnerable to denial of service

CVE-2025-11375 / GHSA-qh7p-pfq3-677h

More information

Details

Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

hashicorp/consul (github.com/hashicorp/consul)

v1.22.0

Compare Source

1.22.0 Enterprise (October 24, 2025)

SECURITY:

  • connect: Upgrade Consul's bundled Envoy version to 1.35.3 and remove support for 1.31.10. This update also includes a fix to prevent Envoy (v1.35+) startup failures by only configuring the TLS transport socket when the CA bundle is present. [GH-22824]
  • security: Adding warning when remote/local script checks are enabled without enabling ACL's [GH-22877]
  • security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacksCVE-2025-11374 [GH-22916]
  • security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves CVE-2025-11375. [GH-22836]
  • security: breaking change - adding a key name validation on the key/value endpoint along side with the DisableKVKeyValidation config to disable/enable it to fix path traversal attacks on misconfigured or missing ACL policies. [GH-22850]

FEATURES:

  • Added support to register a service in consul with multiple ports [GH-22769]
  • agent: Added IsDualStack utility function to detect if the agent is configured for both IPv4 and IPv6 (dual-stack mode) based on its bind address retrieved from "agent/self" API. [GH-22741]
  • install: Updated license information displayed during post-install
  • ipv6: addtition of ip6tables changes for ipv6 and dual stack support [GH-22787]
  • oidc: add client authentication using JWT assertion and PKCE. default PKCE is enabled. [GH-22732]

IMPROVEMENTS:

  • security: Upgrade golang to 1.25.3. [GH-22926]
  • ui: Fixes computed property override issues currently occurring and in some cases pre-emptively as this has been deprecated in ember v4 [GH-22947]
  • ui: removes send action instances as part of https://deprecations.emberjs.com/id/ember-component-send-action/ [GH-22938]
  • ui: replaced ember partials with components as an incremental step to upgrade to ember v4 [GH-22888]
  • api: Added a new API (/v1/operator/utilization) to support enterprise API for Manual Snapshot Reporting [GH-22837]
  • cmd: Added new subcommand consul operator utilization [-today-only] [-message] [-y] to generate a bundle with census utilization snapshot. Main flow is implemented in consul-enterprise
    http: Added a new API Handler for /v1/operator/utilization. Core functionality to be implemented in consul-enterprise
    agent: Always enabled census metrics collection with configurable option to export it to Hashicorp Reporting [GH-22843]
  • cli: snapshot agent now supports authenticating to Azure Blob Storage using Azure Managed Service Identities (MSI). [GH-11171]
  • command: connect envoy bootstrap defaults to 127.0.0.1 in IPv4-only environment and to ::1 in IPv6/DualStack environment. [GH-22763]
  • connect: default upstream.local_bind_address to ::1 for IPv6 agent bind address [GH-22773]
  • proxy: default proxy.local_service_address to ::1 for IPv6 agent bind address [GH-22772]
  • ui: Improved accessibility features in the Consul UI to enhance usability for users with disabilities [GH-22770]
  • ui: Replace yarn with pnpm for package management [GH-22790]
  • ui: auth method config values were overflowing. This PR fixes the issue and adds word break for table elements with large content. [GH-22813]

BUG FIXES:

  • ui: Allow FQDN to be displayed in the Consul web interface. [GH-22779]
  • ui: fixes the issue where namespaces where disappearing and Welcome to Namespace screen showed up after tab switching [GH-22789]
  • ui: fixes the issue where when doing deletes of multiple tokens or policies, the three dots on the right hand side stops responding after the first delete. [GH-22752]
  • cmd: Fix consul operator utilization --help to show only available options without extra parameters. [GH-22912]

v1.21.5

Compare Source

1.21.5 (September 21, 2025)

SECURITY:

  • Migrate transitive dependency from archived mitchellh/mapstructure to go-viper/mapstructure to v2 to address CVE-2025-52893. [GH-22581]
  • agent: Add the KV Validations to block path traversal allowing access to unauthorized endpoints. [GH-22682]
  • agent: Fix a security vulnerability to filter out anonymous tokens along with empty tokens when setting the Results-Filtered-By-ACLs header [GH-22534]
  • agent: Fix a security vulnerability where the attacker could read agent’s TLS certificate and private key by using the group ID that the Consul agent runs as. [GH-22626]
  • api: add charset in all applicable content-types. [GH-22598]
  • connect: Upgrade envoy version to 1.34.7 [GH-22735]
  • security: Fix GHSA-65rg-554r-9j5x (CVE-2024-48908) by upgrading lycheeverse/lychee-action. [GH-22667]
  • security: Fix a security vulnerability where the attacker could bypass authentication by passing url params as there was no validation on them. [GH-22612]
  • security: perform constant time compare for sensitive values. [GH-22537]
  • security: upgrade go version to 1.25.0 [GH-22652]
  • security:: (Enterprise only) fix nil pointer dereference.
  • security:: (Enterprise only) fix potential race condition in partition CRUD.
  • security:: (Enterprise only) perform constant time compare for sensitive values.

FEATURES:

  • config: Add new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream [GH-22604]
  • config: Handle a new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream in API Gateway config and proxy-defaults [GH-22679]
  • config: Handle a new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream in Mesh Gateway via service-defaults and proxy-defaults [GH-22722]
  • config: Handle a new parameter max_request_headers_kb to configure maximum header size for requests from downstream to upstream in Terminating Gateway service-defaults and proxy-defaults [GH-22680]

IMPROVEMENTS:

  • cli: add troubleshoot ports in debug command. A ports.json file is created, which lists the open or closed ports on the host where the command is executed. [GH-22624]

BUG FIXES:

  • agent: Don't show admin partition during errors [GH-11154]

v1.21.4

Compare Source

1.21.4 (August 13, 2025)

SECURITY:

IMPROVEMENTS:

  • ui: Replaced internal code editor with HDS (HashiCorp Design System) code editor and code block components for improved accessibility and maintainability across the Consul UI. [GH-22513]

BUG FIXES:

  • cli: capture pprof when ACL is enabled and a token with operator:read is used, even if enable_debug config is not explicitly set. [GH-22552]

v1.21.3

Compare Source

1.21.3 (July 18, 2025)

IMPROVEMENTS:

  • ui: Improved display and handling of IPv6 addresses for better readability and usability in the Consul web interface. [GH-22468]

BUG FIXES:

  • cli: validate IP address in service registration to prevent invalid IPs in service and tagged addresses. [GH-22467]
  • ui: display IPv6 addresses with proper bracketed formatting [GH-22423]

v1.21.2

Compare Source

1.21.2 (June 17, 2025)

SECURITY:

IMPROVEMENTS:

  • config: Warn about invalid characters in datacenter resulting in non-generation of X.509 certificates when using external CA for agent TLS communication. [GH-22382]
  • connect: Use net.JoinHostPort for host:port formatting to handle IPv6. [GH-22359]

BUG FIXES:

  • http: return a clear error when both Service.Service and Service.ID are missing during catalog registration [GH-22381]
  • license: (Enterprise only) Fixed issue where usage metrics are not written to the snapshot to export the license data. [GH-10668]
  • wan-federation: Fixed an issue where advertised IPv6 addresses were causing WAN federation to fail. [GH-22226]

v1.21.1

Compare Source

1.21.1 (May 21, 2025)

FEATURES:

  • xds: Extend LUA Script support for API Gateway [GH-22321]
  • xds: Added a configurable option to disable XDS session load balancing, intended for scenarios where an external load balancer is used in front of Consul servers, making internal load balancing unnecessary.

IMPROVEMENTS:

  • http: Add peer query param on catalog service API [GH-22189]

v1.21.0

Compare Source

1.21.0 (May 06, 2025)

FEATURES:

  • Simplified external service discovery (Agentless/Gossipless)
  • Google Cloud Storage support for K8s snapshots
  • OpenShift 4.17 support
  • Pod Security Admissions compatibility
  • Refreshed documentation structure
  • Support for TLS SNI in remote JSONWebKeySet [GH-22177]

🔗 Link to full release details

IMPROVEMENTS:

  • raft: add a configuration raft_prevote_disabled to allow disabling raft prevote [GH-21758]
  • raft: update raft library to 1.7.0 which include pre-vote extension [GH-21758]
  • SubMatView: Log level change from ERROR to INFO for subject materialized view as subscription creation is retryable on ACL change. [GH-22141]
  • ui: Adds a copyable token accessor/secret on the settings page when signed in [GH-22105]
  • xDS: Log level change from ERROR to INFO for xDS delta discovery request. Stream can be cancelled on server shutdown and other scenarios. It is retryable and error is a superfluous log. [GH-22141]

v1.20.6

Compare Source

1.20.6 (April 25, 2025)

SECURITY:

IMPROVEMENTS:

  • Added support for Consul Session to update the state of a Health Check, allowing for more dynamic and responsive health monitoring within the Consul ecosystem. This feature enables sessions to directly influence health check statuses, improving the overall reliability and accuracy of service health assessments. [GH-22227]

BUG FIXES:

  • agent: Add the missing Service TaggedAddresses and Check Type fields to Txn API. [GH-22220]

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

@renovate-sh-app
chore(deps): update module github.com/hashicorp/consul to v1.22.0 [se…
154a616 
…curity]

| datasource | package                     | from    | to      |
| ---------- | --------------------------- | ------- | ------- |
| go         | github.com/hashicorp/consul | v1.20.5 | v1.22.0 |


Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
@renovate-sh-app renovate-sh-app bot requested a review from a team as a code owner October 30, 2025 06:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/security automerge-security-update severity:MEDIUM size/XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants