hashicorp · Manishakumari-hc · Oct 14, 2025 · Oct 10, 2025 · Oct 10, 2025 · Oct 13, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 1.22.0-rc2(October 16, 2025)
+
+SECURITY:
+
+* security: Fix Consul's KV endpoint is vulnerable to denial of service address CVE-2025-11374 [[GH-22916](https://github.com/hashicorp/consul/pull/22916)]
+
 ## 1.22.0-rc1 (September 30, 2025)
 
 SECURITY:

@@ -234,20 +234,29 @@
 	}
 
 	// Check the content-length
-	if req.ContentLength > int64(s.agent.config.KVMaxValueSize) {
+	maxSize := int64(s.agent.config.KVMaxValueSize)
+
+	switch {
+	case req.ContentLength <= 0:
+		return nil, HTTPError{
+			StatusCode: http.StatusBadRequest,
+			Reason:     fmt.Sprintf("Request does not specify content-length .Expected content-length between 1 and %d .", maxSize),
+		}
+	case req.ContentLength > maxSize:
 		return nil, HTTPError{
 			StatusCode: http.StatusRequestEntityTooLarge,
 			Reason: fmt.Sprintf("Request body(%d bytes) too large, max size: %d bytes. See %s.",
-				req.ContentLength, s.agent.config.KVMaxValueSize, "https://developer.hashicorp.com/docs/agent/config/config-files#kv_max_value_size"),
+				req.ContentLength, maxSize, "https://developer.hashicorp.com/docs/agent/config/config-files#kv_max_value_size"),
+		}
+	default:
+		// Copy the value
+		buf := bytes.NewBuffer(nil)
+		if _, err := io.Copy(buf, req.Body); err != nil {
+			return nil, err
 		}
 	}
 
-	// Copy the value
-	buf := bytes.NewBuffer(nil)
-	if _, err := io.Copy(buf, req.Body); err != nil {
-		return nil, err
-	}
 	applyReq.DirEnt.Value = buf.Bytes()
 
 	// Make the RPC
 	var out bool

@@ -37,6 +37,7 @@ func TestKVSEndpoint_PUT_GET_DELETE(t *testing.T) {
 	for _, key := range keys {
 		buf := bytes.NewBuffer([]byte("test"))
 		req, _ := http.NewRequest("PUT", "/v1/kv/"+key, buf)
+		req.ContentLength = int64(buf.Len())
 		resp := httptest.NewRecorder()
 		obj, err := a.srv.KVSEndpoint(resp, req)
 		if err != nil {