Bulletin ID: HCSEC-2025-22
Affected Products / Versions: HashiCorp recently published eight security bulletins for issues impacting Vault and Vault Enterprise, all of which have been addressed in the latest Vault versions: 1.20.2, 1.19.8, 1.18.13, and 1.16.24.
Publication Date: August 6, 2025
Summary
HashiCorp recently published eight security bulletins for issues impacting Vault Community Edition and Vault Enterprise, all of which have been addressed in the latest Vault versions: 1.20.2, 1.19.8, 1.18.13, and 1.16.24.
Background
Earlier this year, a security researcher reported multiple vulnerabilities impacting Vault and Vault Enterprise. These vulnerabilities range in severity and exploitability, but generally focus on core authentication flows. The vulnerabilities are:
- HCSEC-2025-20 - Vault LDAP MFA Enforcement Bypass When Using Username As Alias
- HCSEC-2025-19 - Vault Login MFA Bypass of Rate Limiting and TOTP Token Reuse
- HCSEC-2025-18 - Vault Certificate Auth Method Did Not Validate Common Name For Non-CA Certificates
- HCSEC-2025-17 - Vault TOTP Secrets Engine Code Reuse
- HCSEC-2025-16 - Vault Userpass and LDAP User Lockout Bypass
- HCSEC-2025-15 - Timing Side-Channel in Vault’s Userpass Auth Method
- HCSEC-2025-14 - Privileged Vault Operator May Execute Code on the Underlying Host
- HCSEC-2025-13 - Vault Root Namespace Operator May Elevate Token Privileges
In addition, HashiCorp has published a bulletin for a vulnerability that has been disclosed but is not yet remediated. While we believe this issue presents a low-risk, this bulletin includes details and guidance for operators who wish to mitigate the vulnerability until a fix is available:
Remediation
Customers should evaluate the risk associated with each issue and consider upgrading to Vault Community Edition 1.20.2 or Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24. Please refer to Upgrading Vault for general guidance.
Acknowledgement
HashiCorp thanks Yarden Porat and the Cyata Security team for disclosing these issues, as well as their collaboration on the remediation and disclosure of these issues.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.