Bulletin ID: HCSEC-2025-18
Affected Products / Versions: Vault Community Edition up to 1.20.0, fixed in 1.20.1.
Vault Enterprise from up to 1.20.0, 1.19.6, 1.18.11, 1.16.22, 1.15.15, fixed in 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
Publication Date: August 1, 2025
Summary
Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. In this configuration, an attacker may be able to craft a malicious certificate that could be used to impersonate another user. This vulnerability, identified as CVE-2025-6037, is fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
Background
Vault offers a wide range of auth methods for authentication, including TLS client certificates. Vault’s TLS auth method supports trusted certificates signed by certificate authorities as well as non-CA signed certificates.
Details
A malicious user in possession of a trusted non-CA certificate and its corresponding private key can generate a new certificate with an arbitrary CN — including one that belongs to another trusted user, inheriting the entity_id of the impersonated user, policies and group memberships attached to that entity.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault Community Edition 1.20.1 or Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. Please refer to Upgrading Vault for general guidance.
Acknowledgement
This issue was identified by Yarden Porat of Cyata Security who reported it to HashiCorp.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.