Skip to main content

CVE-2025-6011: CWE-203: Observable Discrepancy in HashiCorp Vault

Low
VulnerabilityCVE-2025-6011cvecve-2025-6011cwe-203
Published: Fri Aug 01 2025 (08/01/2025, 18:00:24 UTC)
Source: CVE Database V5
Vendor/Project: HashiCorp
Product: Vault

Description

A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

AI-Powered Analysis

AILast updated: 08/01/2025, 18:33:18 UTC

Technical Analysis

CVE-2025-6011 is a timing side-channel vulnerability affecting HashiCorp Vault and Vault Enterprise's Userpass authentication method. The vulnerability arises because the authentication process leaks timing information that allows an attacker to distinguish between valid and invalid usernames. Specifically, the time taken to respond to authentication attempts differs measurably depending on whether the username exists in the system or not. This discrepancy enables an attacker to enumerate valid usernames by measuring response times, which is a form of information disclosure categorized under CWE-203 (Observable Discrepancy). The vulnerability does not allow direct compromise of credentials or system integrity but leaks sensitive information that can facilitate further attacks, such as targeted brute force or social engineering. The issue affects multiple versions of Vault prior to the patched releases: Vault Community Edition 1.20.1 and Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, and 1.16.23. The CVSS v3.1 score is 3.7 (low severity), reflecting the limited impact on confidentiality and no impact on integrity or availability. Exploitation requires network access but no authentication or user interaction. No known exploits are currently reported in the wild. The vulnerability is mitigated by applying the patches released by HashiCorp in the specified versions.

Potential Impact

For European organizations using HashiCorp Vault with the Userpass authentication method, this vulnerability poses a risk of user enumeration. While the direct impact is limited to information disclosure, the ability to identify valid usernames can significantly aid attackers in launching targeted attacks such as credential stuffing, phishing, or brute force attempts. This is particularly concerning for organizations managing sensitive data or critical infrastructure, where user credentials are a valuable target. The vulnerability does not allow direct compromise of Vault secrets or system availability but weakens the security posture by exposing valid user identifiers. Organizations in sectors like finance, healthcare, government, and critical infrastructure in Europe, which often rely on Vault for secrets management, could see an increased risk of follow-on attacks if this vulnerability is not addressed. However, the low CVSS score and absence of known exploits suggest the immediate risk is moderate but should not be ignored.

Mitigation Recommendations

1. Apply the official patches released by HashiCorp for Vault Community Edition 1.20.1 and Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, and 1.16.23 as soon as possible to eliminate the timing discrepancy. 2. If immediate patching is not feasible, implement network-level controls such as rate limiting and IP blacklisting to reduce the feasibility of automated username enumeration attempts. 3. Monitor authentication logs for unusual patterns indicative of enumeration attempts, such as repeated failed login attempts with varying usernames. 4. Consider disabling the Userpass authentication method if it is not required or replacing it with more secure authentication methods supported by Vault, such as token-based or OIDC authentication. 5. Educate security teams to recognize the risks associated with user enumeration and incorporate this vulnerability into threat modeling and incident response plans. 6. Employ application-layer mitigations like introducing uniform response times or error messages to reduce timing side-channel leakage if custom authentication methods are used.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
HashiCorp
Date Reserved
2025-06-11T18:57:02.577Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 688d04c8ad5a09ad00cb1889

Added to database: 8/1/2025, 6:17:44 PM

Last enriched: 8/1/2025, 6:33:18 PM

Last updated: 8/2/2025, 6:17:01 AM

Views: 6

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats