CVE-2025-6011

A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Published: Aug 1, 2025
Updated: Aug 20, 2025
CVE: CVE-2025-6011
GHSA: GHSA-mwgr-84fv-3jh9
Severity: Low
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-203

Affected Software
References

Software	From	Fixed in
github.com/hashicorp/vault	-	1.20.1
hashicorp / vault	-	1.20.1
hashicorp / vault	-	1.16.23
hashicorp / vault	1.17.0	1.18.12
hashicorp / vault	1.19.0	1.19.7
hashicorp / vault	1.20.0	1.20.0.x

https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034

Vulnerability Database

CVE-2025-6011