CVE-2025-6015

Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Published: Aug 1, 2025
Updated: Aug 20, 2025
CVE: CVE-2025-6015
GHSA: GHSA-v6r4-35f9-9rpw
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CWEs:

CWE-307

Affected Software
References

Software	From	Fixed in
github.com/hashicorp/vault	1.10.0	1.20.1
hashicorp / vault	1.17.0	1.18.12
hashicorp / vault	1.19.0	1.19.7
hashicorp / vault	1.20.0	1.20.0.x
hashicorp / vault	1.10.0	1.20.1
hashicorp / vault	1.10.0	1.16.23

https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038

Vulnerability Database

CVE-2025-6015