Bulletin ID: HCSEC-2025-21
Affected Products / Versions: Vault Community from 1.13.0 up to 1.20.2.
Vault Enterprise from 1.13.0 up to 1.20.2, 1.19.8, 1.18.13, and 1.16.24.
Publication Date: August 6, 2025
Summary
Vault Community and Vault Enterprise’s (“Vault”) userpass method is affected by a user enumeration vulnerability. This may allow an attacker to enumerate valid usernames on this auth method through brute force or a list of known usernames. CVE-2025-6010 was reserved by HashiCorp to track this issue, which will be fixed in an upcoming Vault release.
Background
Vault’s userpass auth method allows users to authenticate to Vault using a username and password combination.
Remediation
As of the time of publication, this issue is not fixed in a released version of Vault Community or Vault Enterprise. This bulletin will be updated when a fixed version is released.
While we believe this is a low-risk issue, customers who wish to reduce the impact of this vulnerability should consider using rate-limit quotas (see below) in Vault or enabling network level controls for rate limiting that restrict access to Vault. Customers may also consider enforcing login MFA for the userpass auth mounts.
vault write sys/quotas/rate-limit/userpass-auth-ratelimit \
name="userpass-auth-ratelimit" \
path="namespace1/auth/userpass*" \
rate=10 \
interval="1m" \
block_interval="5m"
Refer to the create a rate limit quota documentation other examples.
Acknowledgement
This issue was identified by Yarden Porat of Cyata Security who reported it to HashiCorp.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.