CVE-2025-6013
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-06

Last updated on: 2025-12-15

Assigner: HashiCorp Inc.

Description
Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-06
Last Modified
2025-12-15
Generated
2026-05-27
AI Q&A
2025-08-06
EPSS Evaluated
2026-05-25
NVD
CVE-2025-6013
EUVD
EUVD-2025-23817
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
hashicorp vault From 1.10.0 (inc) to 1.15.16 (inc)
hashicorp vault From 1.10.0 (inc) to 1.20.2 (exc)
hashicorp vault From 1.16.0 (inc) to 1.16.24 (exc)
hashicorp vault From 1.17.0 (inc) to 1.18.13 (exc)
hashicorp vault From 1.19.0 (inc) to 1.19.8 (exc)
hashicorp vault From 1.20.0 (inc) to 1.20.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-156 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Vault and Vault Enterprise's LDAP authentication method occurs when the 'username_as_alias' setting is true and a user has multiple common names (CNs) that are identical except for leading or trailing spaces. In this case, the multi-factor authentication (MFA) may not have been properly enforced, potentially allowing authentication without the required MFA.


How can this vulnerability impact me? :

The vulnerability can impact you by allowing an attacker to bypass multi-factor authentication if they exploit the issue with usernames having multiple CNs with spaces. This could lead to unauthorized access with high confidentiality and integrity impact, as indicated by the CVSS score, potentially compromising sensitive information.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Vault Community Edition to version 1.20.2 or later, or Vault Enterprise to version 1.20.2, 1.19.8, 1.18.13, or 1.16.24 or later. Additionally, review and avoid using the ldap auth method configuration with username_as_alias set to true if users have multiple CNs with leading or trailing spaces until the update is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart