Change8

v1.22.0

Breaking Changes
📦 consul-connectView on GitHub →
1 breaking8 features🐛 10 fixes🔧 11 symbols

Summary

Consul 1.22.0 delivers significant security enhancements, including DoS mitigations and key validation on the KV endpoint, alongside new features like multi-port service registration and OIDC JWT assertion support.

⚠️ Breaking Changes

  • Key name validation is now added on the key/value endpoint. If you were relying on path traversal behavior or had misconfigured ACLs, this may break existing operations. To disable this new validation, use the `DisableKVKeyValidation` config.

Migration Steps

  1. If you rely on path traversal in the KV endpoint or have misconfigured ACLs, review your configuration in light of the new key name validation introduced on the KV endpoint. Consider setting `DisableKVKeyValidation` if necessary.

✨ New Features

  • Added support to register a service in consul with multiple ports.
  • Added `IsDualStack` utility function to detect if the agent is configured for both IPv4 and IPv6 (dual-stack mode) based on its bind address retrieved from "agent/self" API.
  • Added IPv6 and dual stack support via ip6tables changes.
  • OIDC now supports client authentication using JWT assertion and PKCE (PKCE is enabled by default).
  • Added new API (/v1/operator/utilization) to support enterprise API for Manual Snapshot Reporting.
  • Added new subcommand `consul operator utilization [-today-only] [-message] [-y]` to generate a census utilization snapshot bundle.
  • Census metrics collection is always enabled with a configurable option to export it to Hashicorp Reporting.
  • The `snapshot agent` command now supports authenticating to Azure Blob Storage using Azure Managed Service Identities (MSI).

🐛 Bug Fixes

  • Fixed Envoy (v1.35+) startup failures by only configuring the TLS transport socket when the CA bundle is present.
  • Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacks [CVE-2025-11374].
  • Added a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks resolving [CVE-2025-11375].
  • Connect envoy bootstrap defaults to 127.0.0.1 in IPv4-only environment and to ::1 in IPv6/DualStack environment.
  • Default upstream.local_bind_address to ::1 for IPv6 agent bind address.
  • Default proxy.local_service_address to ::1 for IPv6 agent bind address.
  • Fixed `consul operator utilization --help` to show only available options without extra parameters.
  • UI fix: Allow FQDN to be displayed in the Consul web interface.
  • UI fix: Fixed the issue where namespaces were disappearing and Welcome to Namespace screen showed up after tab switching.
  • UI fix: Fixed the issue where deleting multiple tokens or policies caused the three dots menu to stop responding after the first delete.

🔧 Affected Symbols

Envoy (bundled)Consul KV endpointevent endpointkey/value endpointDisableKVKeyValidation/v1/operator/utilizationconsul operator utilizationsnapshot agentagent/self APIupstream.local_bind_addressproxy.local_service_address