Change8

ent-changelog-1.21.6

Breaking Changes
📦 consul-connectView on GitHub →
1 breaking3 features🐛 7 fixes2 deprecations🔧 5 symbols

Summary

This release focuses heavily on security enhancements, including fixes for path traversal and DoS vulnerabilities, alongside significant improvements and modernization within the Consul UI components.

⚠️ Breaking Changes

  • Added key name validation on the key/value endpoint. This is enabled by default but can be disabled using the `DisableKVKeyValidation` configuration option to fix path traversal attacks (CVE-2025-11392).

Migration Steps

  1. If you rely on key names that previously allowed traversal patterns in the KV endpoint, you may need to update your key names or explicitly set `DisableKVKeyValidation` to true in your configuration if the new validation breaks existing workflows (though this is not recommended due to security implications).

✨ New Features

  • Added a new API endpoint (/v1/operator/utilization) to support enterprise API for Manual Snapshot Reporting.
  • Added new subcommand `consul operator utilization [-today-only] [-message] [-y]` to generate a census utilization snapshot bundle (main flow implemented in consul-enterprise).
  • Agent now always enables census metrics collection with a configurable option to export it to Hashicorp Reporting.

🐛 Bug Fixes

  • Fixed proxied URL path validation to prevent path traversal.
  • Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacks (CVE-2025-11374).
  • Added a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks (CVE-2025-11375).
  • Fixed `consul operator utilization --help` to show only available options without extra parameters.
  • Allowed FQDN to be displayed in the Consul web interface.
  • Fixed issue where namespaces were disappearing and the Welcome to Namespace screen showed up after tab switching.
  • Fixed issue where the three dots on the right hand side stops responding after the first delete when deleting multiple tokens or policies.

🔧 Affected Symbols

/v1/operator/utilizationconsul operator utilizationDisableKVKeyValidationRoute#renderTemplatesend action

⚡ Deprecations

  • The UI removed usage of deprecated `Route#renderTemplate` by introducing `DebugLayout` component and controller-based conditional rendering for docs routes.
  • The UI removed `send` action instances as part of the Ember deprecation: https://deprecations.emberjs.com/id/ember-component-send-action/