Bulletin ID: HCSEC-2025-19
Affected Products / Versions: Vault Community Edition from 1.10.0 up to 1.20.0, fixed in 1.20.1.
Vault Enterprise from 1.10.0 up to 1.20.0, 1.19.6, 1.18.11, 1.16.22, 1.15.15, fixed in 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
Publication Date: August 1, 2025
Summary
Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. This vulnerability, CVE-2025-6015, is fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
Background
Vault’s login MFA is the underlying identity system in Vault that supports multi-factor authentication for authentication to an auth method. Vault supports various login MFA types, including TOTP. Vault prevents the same TOTP code from being used multiple times within its validity period.
Details
Vault’s login MFA did not correctly normalize TOTP codes prior to enforcing the once-per-validity-window check, potentially allowing an attacker to resubmit a previously used code during the MFA check.
Vault will now strictly validate the length of the provided TOTP code.The TOTP validation will now return a generic error if the passcode was already used.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault Community Edition 1.20.1 or Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. Please refer to Upgrading Vault for general guidance.
Acknowledgement
This issue was identified by Yarden Porat of Cyata Security who reported it to HashiCorp.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.