Bulletin ID: HCSEC-2025-20
Affected Products / Versions: Vault Community Edition from 1.10.0 up to 1.20.1, fixed in 1.20.2.
Vault Enterprise from 1.10.0 up to 1.20.1, 1.19.7, 1.18.12, 1.16.23, 1.15.16, fixed in 1.20.2, 1.19.8, 1.18.13, and 1.16.24.
Publication Date: August 6, 2025
Summary
Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. This vulnerability, CVE-2025-6013, is fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.
Background
Vault’s ldap auth method allows authentication using an existing LDAP server and user/password credentials. The optional username_as_alias parameter allows the ldap username to be used as the alias name for the ldap auth method.
Vault’s login MFA provides a means to link an existing auth method or entity within the auth method to additional authentication factors, such as TOTP. TOTP can be enforced for any auth method, identity group or entity ids.
Details
LDAP usernames containing additional whitespaces may be valid and result in a successful authentication from the ldap backend after normalization. When setting the alias name on successful login, the ldap auth method would set the entity alias name to the value provided by the user rather than using the normalized user DN information returned by the ldap directory.
Due to these inconsistencies in normalizing strings with additional spaces, entity alias names and potentially duplicate entity alias ids resulted in MFA enforcement not being respected in some configurations.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault Community Edition 1.20.2 or Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24. Please refer to Upgrading Vault for general guidance.
Acknowledgement
This issue was identified by Yarden Porat of Cyata Security who reported it to HashiCorp.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.