CVE-2025-6011: CWE-203: Observable Discrepancy in HashiCorp Vault
A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
AI Analysis
Technical Summary
CVE-2025-6011 is a timing side-channel vulnerability affecting HashiCorp Vault and Vault Enterprise's Userpass authentication method. The vulnerability arises because the authentication process leaks timing information that allows an attacker to distinguish between valid and invalid usernames. Specifically, the time taken to respond to authentication attempts differs measurably depending on whether the username exists in the system or not. This discrepancy enables an attacker to enumerate valid usernames by measuring response times, which is a form of information disclosure categorized under CWE-203 (Observable Discrepancy). The vulnerability does not allow direct compromise of credentials or system integrity but leaks sensitive information that can facilitate further attacks, such as targeted brute force or social engineering. The issue affects multiple versions of Vault prior to the patched releases: Vault Community Edition 1.20.1 and Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, and 1.16.23. The CVSS v3.1 score is 3.7 (low severity), reflecting the limited impact on confidentiality and no impact on integrity or availability. Exploitation requires network access but no authentication or user interaction. No known exploits are currently reported in the wild. The vulnerability is mitigated by applying the patches released by HashiCorp in the specified versions.
Potential Impact
For European organizations using HashiCorp Vault with the Userpass authentication method, this vulnerability poses a risk of user enumeration. While the direct impact is limited to information disclosure, the ability to identify valid usernames can significantly aid attackers in launching targeted attacks such as credential stuffing, phishing, or brute force attempts. This is particularly concerning for organizations managing sensitive data or critical infrastructure, where user credentials are a valuable target. The vulnerability does not allow direct compromise of Vault secrets or system availability but weakens the security posture by exposing valid user identifiers. Organizations in sectors like finance, healthcare, government, and critical infrastructure in Europe, which often rely on Vault for secrets management, could see an increased risk of follow-on attacks if this vulnerability is not addressed. However, the low CVSS score and absence of known exploits suggest the immediate risk is moderate but should not be ignored.
Mitigation Recommendations
1. Apply the official patches released by HashiCorp for Vault Community Edition 1.20.1 and Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, and 1.16.23 as soon as possible to eliminate the timing discrepancy. 2. If immediate patching is not feasible, implement network-level controls such as rate limiting and IP blacklisting to reduce the feasibility of automated username enumeration attempts. 3. Monitor authentication logs for unusual patterns indicative of enumeration attempts, such as repeated failed login attempts with varying usernames. 4. Consider disabling the Userpass authentication method if it is not required or replacing it with more secure authentication methods supported by Vault, such as token-based or OIDC authentication. 5. Educate security teams to recognize the risks associated with user enumeration and incorporate this vulnerability into threat modeling and incident response plans. 6. Employ application-layer mitigations like introducing uniform response times or error messages to reduce timing side-channel leakage if custom authentication methods are used.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Switzerland, Belgium, Italy, Spain, Poland
CVE-2025-6011: CWE-203: Observable Discrepancy in HashiCorp Vault
Description
A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
AI-Powered Analysis
Technical Analysis
CVE-2025-6011 is a timing side-channel vulnerability affecting HashiCorp Vault and Vault Enterprise's Userpass authentication method. The vulnerability arises because the authentication process leaks timing information that allows an attacker to distinguish between valid and invalid usernames. Specifically, the time taken to respond to authentication attempts differs measurably depending on whether the username exists in the system or not. This discrepancy enables an attacker to enumerate valid usernames by measuring response times, which is a form of information disclosure categorized under CWE-203 (Observable Discrepancy). The vulnerability does not allow direct compromise of credentials or system integrity but leaks sensitive information that can facilitate further attacks, such as targeted brute force or social engineering. The issue affects multiple versions of Vault prior to the patched releases: Vault Community Edition 1.20.1 and Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, and 1.16.23. The CVSS v3.1 score is 3.7 (low severity), reflecting the limited impact on confidentiality and no impact on integrity or availability. Exploitation requires network access but no authentication or user interaction. No known exploits are currently reported in the wild. The vulnerability is mitigated by applying the patches released by HashiCorp in the specified versions.
Potential Impact
For European organizations using HashiCorp Vault with the Userpass authentication method, this vulnerability poses a risk of user enumeration. While the direct impact is limited to information disclosure, the ability to identify valid usernames can significantly aid attackers in launching targeted attacks such as credential stuffing, phishing, or brute force attempts. This is particularly concerning for organizations managing sensitive data or critical infrastructure, where user credentials are a valuable target. The vulnerability does not allow direct compromise of Vault secrets or system availability but weakens the security posture by exposing valid user identifiers. Organizations in sectors like finance, healthcare, government, and critical infrastructure in Europe, which often rely on Vault for secrets management, could see an increased risk of follow-on attacks if this vulnerability is not addressed. However, the low CVSS score and absence of known exploits suggest the immediate risk is moderate but should not be ignored.
Mitigation Recommendations
1. Apply the official patches released by HashiCorp for Vault Community Edition 1.20.1 and Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, and 1.16.23 as soon as possible to eliminate the timing discrepancy. 2. If immediate patching is not feasible, implement network-level controls such as rate limiting and IP blacklisting to reduce the feasibility of automated username enumeration attempts. 3. Monitor authentication logs for unusual patterns indicative of enumeration attempts, such as repeated failed login attempts with varying usernames. 4. Consider disabling the Userpass authentication method if it is not required or replacing it with more secure authentication methods supported by Vault, such as token-based or OIDC authentication. 5. Educate security teams to recognize the risks associated with user enumeration and incorporate this vulnerability into threat modeling and incident response plans. 6. Employ application-layer mitigations like introducing uniform response times or error messages to reduce timing side-channel leakage if custom authentication methods are used.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- HashiCorp
- Date Reserved
- 2025-06-11T18:57:02.577Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 688d04c8ad5a09ad00cb1889
Added to database: 8/1/2025, 6:17:44 PM
Last enriched: 8/1/2025, 6:33:18 PM
Last updated: 8/2/2025, 6:17:01 AM
Views: 6
Related Threats
CVE-2025-7710: CWE-288 Authentication Bypass Using an Alternate Path or Channel in Brave Brave Conversion Engine (PRO)
CriticalCVE-2025-7500: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in oceanwp Ocean Social Sharing
MediumCVE-2025-8467: SQL Injection in code-projects Wazifa System
MediumCVE-2025-8488: CWE-862 Missing Authorization in brainstormforce Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder)
MediumCVE-2025-6722: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in bitslip6 BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.