CVE-2025-6014

Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Published: Aug 1, 2025
Updated: Aug 20, 2025
CVE: CVE-2025-6014
GHSA: GHSA-qv3p-fmv3-9hww
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWEs:

CWE-156

Affected Software
References

Software	From	Fixed in
github.com/hashicorp/vault	-	1.20.1
hashicorp / vault	-	1.20.1
hashicorp / vault	-	1.16.23
hashicorp / vault	1.17.0	1.18.12
hashicorp / vault	1.19.0	1.19.7
hashicorp / vault	1.20.0	1.20.0.x

https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036

Vulnerability Database

CVE-2025-6014