PT-2025-31662 · Hashicorp · Vault +1

Yarden Porat

Published

2025-08-01

Updated

2025-08-01

CVE-2025-6014

Report an issue

CVSS v3.1

6.5

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions:

Vault versions prior to 1.20.1

Vault Enterprise versions prior to 1.20.1

Vault Enterprise version 1.19.7

Vault Enterprise version 1.18.12

Vault Enterprise version 1.16.23

Description:

The Time-based One-Time Password (TOTP) Secrets Engine in Vault and Vault Enterprise is susceptible to code reuse within its validity period due to an issue with the code validation endpoint.

Recommendations:

Update Vault to version 1.20.1 or later.

Update Vault Enterprise to version 1.20.1 or later.

Update Vault Enterprise to version 1.19.7 or later.

Update Vault Enterprise to version 1.18.12 or later.

Update Vault Enterprise to version 1.16.23 or later.

Fix

Weakness Enumeration

CWE-156

Related Identifiers

CVE-2025-6014

GHSA-QV3P-FMV3-9HWW

Affected Products

Vault

Vault Enterprise

PT-2025-31662 · Hashicorp · Vault +1

Weakness Enumeration

Related Identifiers

Affected Products

References · 5