Bulletin ID: HCSEC-2025-13
Affected Products / Versions: Vault Community Edition from 0.10.4 up to 1.19.5, fixed in 1.20.0.
Vault Enterprise from 0.10.4 up to 1.19.5, 1.18.11, 1.16.21, fixed in 1.20.0, 1.19.6, 1.18.11 and 1.16.22.
Publication Date: August 1, 2025
Summary
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. This vulnerability, identified as CVE-2025-5999, is fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22.
Background
Vault’s identity secrets engine can map a single Vault client (“entity”) to multiple authentication methods to manage all Vault clients for authentication and authorization. Write access to Vault’s identity API endpoint allows operators to assign any existing (non-root) policies to entities.
Vault namespaces are a mechanism for providing tenant isolation and aiding in the long-term management of a Vault instance. Administrative namespaces grant a given namespace access to a pre-defined subset of privileged backend system endpoints in Vault.
Details
Due to the normalisation of policy names and incomplete input validation, a privileged Vault operator could potentially escalate an entity’s issued, valid token privileges to Vault’s root policy for the remainder of the token’s validity period.
Due to additional validation, the vulnerability does not affect entities in namespaces (including administrative namespaces) but only affects root namespace entities. This issue does not affect HCP Vault Dedicated due to its use of administrative namespaces.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault Community Edition 1.20.0 or Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22. Please refer to Upgrading Vault for general guidance.
Alternatively, Sentinel EGP policies can be used. If an entity was assigned the root policy, requests in Vault audit logs will contain “root” inside the “identity_policies” array.
Acknowledgement
This issue was identified by Yarden Porat of Cyata Security who reported it to HashiCorp.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.