Bulletin ID: HCSEC-2025-16
Affected Products / Versions: Vault Community Edition from 1.13.0 up to 1.20.0, fixed in 1.20.1.
Vault Enterprise from 1.13.0 up to 1.20.0, 1.19.6, 1.18.11, 1.16.22, 1.15.15, fixed in 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
Publication Date: August 1, 2025
Summary
Vault and Vault Enterprise’s (“Vault”) user lockout feature could be bypassed for Userpass and LDAP authentication methods. This vulnerability, identified as CVE-2025-6004, is fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
Background
Vault’s user lockout mechanism provides a configurable, per-user lockout mechanism to limit failed logins for Approle, Userpass and LDAP authentication methods.
In Vault’s identity system, each entity has a corresponding entity alias on each configured authentication method.
Details
It was discovered that the user lockout mechanism did not properly normalize entity aliases, allowing an attacker to bypass the lockout mechanism by varying the cases of characters in the user name when an auth method was not configured to be case sensitive.
The entity alias returned by the Userpass and Authentication methods will now be correctly normalized, and preserve case sensitivity for LDAP auth mounts with the case_sensitive_names parameter set.
Remediation
Customers should evaluate the risk associated with this issue and consider implementing rate-limit quotas or consider upgrading to Vault Community Edition 1.20.1 or Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. Please refer to Upgrading Vault for general guidance.
Acknowledgement
This issue was identified by Yarden Porat of Cyata Security who reported it to HashiCorp.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.