PT-2025-31679 · Hashicorp · Vault +1

Yarden Porat

Published

2025-08-01

Updated

2025-08-01

CVE-2025-6011

Report an issue

CVSS v3.1

3.7

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions:

Vault versions prior to 1.20.1

Vault Enterprise versions prior to 1.20.1

Vault Enterprise version 1.19.7

Vault Enterprise version 1.18.12

Vault Enterprise version 1.16.23

Description:

A timing side channel in the userpass authentication method allowed an attacker to differentiate between existing and non-existing users, potentially enabling the enumeration of valid usernames.

Recommendations:

Update Vault to version 1.20.1 or later.

Update Vault Enterprise to version 1.20.1 or later.

Update Vault Enterprise to version 1.19.7 or later.

Update Vault Enterprise to version 1.18.12 or later.

Update Vault Enterprise to version 1.16.23 or later.

Fix

Side Channel Attack

Weakness Enumeration

CWE-203

Related Identifiers

CVE-2025-6011

GHSA-MWGR-84FV-3JH9

Affected Products

Vault

Vault Enterprise

PT-2025-31679 · Hashicorp · Vault +1

Weakness Enumeration

Related Identifiers

Affected Products

References · 5