CVE-2025-6014
BaseFortify
Publication date: 2025-08-01
Last updated on: 2025-08-13
Assigner: HashiCorp Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hashicorp | vault | to 1.16.23 (exc) |
| hashicorp | vault | to 1.20.1 (exc) |
| hashicorp | vault | From 1.17.0 (inc) to 1.18.12 (exc) |
| hashicorp | vault | From 1.19.0 (inc) to 1.19.7 (exc) |
| hashicorp | vault | 1.20.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-156 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Vault and Vault Enterprise's TOTP Secrets Engine code validation endpoint, which is susceptible to code reuse within its validity period. This means that an attacker could potentially reuse a valid TOTP code during its active time window, which should normally be prevented.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker to reuse a valid TOTP code to bypass authentication mechanisms that rely on time-based one-time passwords, potentially leading to unauthorized access. The CVSS score indicates a high confidentiality impact but no impact on integrity or availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Vault to at least version 1.20.1 for the Community Edition or to one of the fixed versions for Vault Enterprise (1.20.1, 1.19.7, 1.18.12, or 1.16.23).