CVE-2025-6013 is a vulnerability classified under CWE-156 (Improper Neutralization of Whitespace) affecting HashiCorp Vault's LDAP authentication method. Vault and Vault Enterprise versions prior to 1.20.2 improperly handle usernames when the 'username_as_alias' configuration is set to true. In this scenario, if a user has multiple LDAP common names (CNs) that are identical except for leading or trailing whitespace characters, the system may fail to correctly enforce multi-factor authentication (MFA). This occurs because the whitespace is not properly normalized or neutralized, causing the authentication logic to treat these CNs as distinct or bypass MFA checks erroneously. The vulnerability has a CVSS 3.1 base score of 6.5, indicating medium severity, with an attack vector over the network, low attack complexity, requiring high privileges but no user interaction. The impact affects confidentiality and integrity, as unauthorized users might gain access without completing MFA, potentially exposing sensitive secrets managed by Vault. The flaw was addressed in Vault Community Edition 1.20.2 and Vault Enterprise versions 1.20.2, 1.19.8, 1.18.13, and 1.16.24. No public exploits have been reported, but the vulnerability poses a risk in environments relying on LDAP authentication with MFA and the 'username_as_alias' setting enabled. The issue highlights the importance of input normalization in authentication mechanisms to prevent bypasses.

The vulnerability allows attackers with network access and high privileges to bypass MFA enforcement in Vault's LDAP authentication method if certain conditions are met. This can lead to unauthorized access to Vault secrets, compromising confidentiality and integrity of sensitive data such as credentials, encryption keys, and configuration secrets. Organizations relying on Vault for secret management and enforcing MFA for access control are at risk of unauthorized disclosure or modification of secrets, which can cascade into broader system compromises. The absence of user interaction and the low complexity of the attack increase the risk in environments where the 'username_as_alias' setting is enabled and LDAP CN entries contain whitespace variations. While availability is not directly impacted, the breach of confidentiality and integrity can severely affect organizational security posture, regulatory compliance, and trust in critical infrastructure.

Organizations should immediately upgrade affected Vault versions to the patched releases: Vault Community Edition 1.20.2 or later, and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, or 1.16.24. In the interim, administrators should audit LDAP user entries for CNs with leading or trailing whitespace and normalize these entries to prevent ambiguity. Review and disable the 'username_as_alias' setting if not strictly required, as this setting is central to the vulnerability. Implement strict input validation and normalization on LDAP attributes used for authentication. Additionally, monitor authentication logs for unusual patterns that may indicate attempts to exploit this vulnerability. Employ network segmentation and restrict access to Vault's LDAP authentication endpoints to trusted sources only. Finally, conduct a thorough review of MFA enforcement policies and test them after applying patches to ensure proper functionality.