HCSEC-2025-17 - Vault TOTP Secrets Engine Code Reuse

Bulletin ID: HCSEC-2025-17
Affected Products / Versions: Vault Community Edition up to 1.20.0, fixed in 1.20.1.
Vault Enterprise up to 1.20.0, 1.19.6, 1.18.11, 1.16.22, 1.15.15, fixed in 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Publication Date: August 1, 2025

Summary
Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. This vulnerability, identified as CVE-2025-6014, is fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Background
Vault’s TOTP secrets engine can be used as a provider to generate new keys and validate TOTP codes generated using those keys. For each code, Vault caches a set of used keys to prevent reuse.

Details
Used code entries in the TOTP used code cache were not normalized, making it possible to reuse existing codes by appending whitespace. Vault will now strictly check the TOTP code length based on the configured key length.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault Community Edition 1.20.1 or Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. Please refer to Upgrading Vault for general guidance.

Acknowledgement
This issue was identified by Yarden Porat of Cyata Security who reported it to HashiCorp.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.