CVE-2025-6011
BaseFortify
Publication date: 2025-08-01
Last updated on: 2025-08-13
Assigner: HashiCorp Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hashicorp | vault | to 1.16.23 (exc) |
| hashicorp | vault | to 1.20.1 (exc) |
| hashicorp | vault | From 1.17.0 (inc) to 1.18.12 (exc) |
| hashicorp | vault | From 1.19.0 (inc) to 1.19.7 (exc) |
| hashicorp | vault | 1.20.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-203 | The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a timing side channel issue in Vault and Vault Enterprise's userpass authentication method. It allows an attacker to distinguish between existing and non-existing users by measuring response times, potentially enabling the attacker to enumerate valid usernames for the userpass auth method.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker to identify valid usernames in your Vault userpass authentication system. This information can be used to facilitate further attacks, such as targeted password guessing or social engineering, potentially compromising user accounts.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Vault Community Edition to version 1.20.1 or later, or Vault Enterprise to versions 1.20.1, 1.19.7, 1.18.12, or 1.16.23 or later.