CVE-2025-6004

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-6004
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-6004.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-6004
Aliases
Downstream
Related
Published
2025-08-01T18:15:56.570Z
Modified
2026-04-10T05:32:18.594982Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

Vault and Vault Enterprise’s (“Vault”) user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

References

Affected packages

Git / github.com/hashicorp/vault

Affected ranges

Type
GIT
Repo
https://github.com/hashicorp/vault
Events
Introduced
a4cf0dc4437de35fce4860857b64569d092a9b5a
Fixed
b403b1a27c8db6038ffefb296d7be0962e08039d
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
6fdd6b59e97d97a9e19b0fb5304bf879c190295e
Database specific 
{
    "versions": [
        {
            "introduced": "1.13.0"
        },
        {
            "fixed": "1.20.1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.20.0"
        }
    ]
}

Affected versions

api/auth/approle/v0.*
api/auth/approle/v0.1.0
api/auth/approle/v0.1.1
api/auth/approle/v0.10.0
api/auth/approle/v0.2.0
api/auth/approle/v0.3.0
api/auth/approle/v0.4.0
api/auth/approle/v0.4.1
api/auth/approle/v0.5.0
api/auth/approle/v0.6.0
api/auth/approle/v0.7.0
api/auth/approle/v0.8.0
api/auth/approle/v0.9.0
api/auth/aws/v0.*
api/auth/aws/v0.1.0
api/auth/aws/v0.10.0
api/auth/aws/v0.2.0
api/auth/aws/v0.3.0
api/auth/aws/v0.4.0
api/auth/aws/v0.4.1
api/auth/aws/v0.5.0
api/auth/aws/v0.6.0
api/auth/aws/v0.7.0
api/auth/aws/v0.8.0
api/auth/aws/v0.9.0
api/auth/azure/v0.*
api/auth/azure/v0.1.0
api/auth/azure/v0.2.0
api/auth/azure/v0.3.0
api/auth/azure/v0.4.0
api/auth/azure/v0.4.1
api/auth/azure/v0.5.0
api/auth/azure/v0.6.0
api/auth/azure/v0.7.0
api/auth/azure/v0.8.0
api/auth/azure/v0.9.0
api/auth/gcp/v0.*
api/auth/gcp/v0.1.0
api/auth/gcp/v0.10.0
api/auth/gcp/v0.2.0
api/auth/gcp/v0.3.0
api/auth/gcp/v0.4.0
api/auth/gcp/v0.4.1
api/auth/gcp/v0.5.0
api/auth/gcp/v0.6.0
api/auth/gcp/v0.7.0
api/auth/gcp/v0.8.0
api/auth/gcp/v0.9.0
api/auth/kubernetes/v0.*
api/auth/kubernetes/v0.1.0
api/auth/kubernetes/v0.10.0
api/auth/kubernetes/v0.2.0
api/auth/kubernetes/v0.3.0
api/auth/kubernetes/v0.4.0
api/auth/kubernetes/v0.4.1
api/auth/kubernetes/v0.5.0
api/auth/kubernetes/v0.6.0
api/auth/kubernetes/v0.7.0
api/auth/kubernetes/v0.8.0
api/auth/kubernetes/v0.9.0
api/auth/ldap/v0.*
api/auth/ldap/v0.1.0
api/auth/ldap/v0.10.0
api/auth/ldap/v0.2.0
api/auth/ldap/v0.3.0
api/auth/ldap/v0.4.0
api/auth/ldap/v0.4.1
api/auth/ldap/v0.5.0
api/auth/ldap/v0.6.0
api/auth/ldap/v0.7.0
api/auth/ldap/v0.8.0
api/auth/ldap/v0.9.0
api/auth/userpass/v0.*
api/auth/userpass/v0.1.0
api/auth/userpass/v0.10.0
api/auth/userpass/v0.2.0
api/auth/userpass/v0.3.0
api/auth/userpass/v0.4.0
api/auth/userpass/v0.4.1
api/auth/userpass/v0.5.0
api/auth/userpass/v0.6.0
api/auth/userpass/v0.7.0
api/auth/userpass/v0.8.0
api/auth/userpass/v0.9.0
api/v1.*
api/v1.0.1
api/v1.0.2
api/v1.0.3
api/v1.0.4
api/v1.1.1
api/v1.10.0
api/v1.11.0
api/v1.12.0
api/v1.12.1
api/v1.12.2
api/v1.13.0
api/v1.14.0
api/v1.15.0
api/v1.16.0
api/v1.2.0
api/v1.20.0
api/v1.3.1
api/v1.5.0
api/v1.6.0
api/v1.7.0
api/v1.7.1
api/v1.7.2
api/v1.8.0
api/v1.8.1
api/v1.8.2
api/v1.8.3
api/v1.9.0
api/v1.9.1
api/v1.9.2
Other
last-go-modable
main-creation
sdk/v0.*
sdk/v0.1.10
sdk/v0.1.11
sdk/v0.1.12
sdk/v0.1.13
sdk/v0.1.8
sdk/v0.1.9
sdk/v0.10.0
sdk/v0.10.1
sdk/v0.11.0
sdk/v0.11.1
sdk/v0.12.0
sdk/v0.13.0
sdk/v0.14.0
sdk/v0.14.1
sdk/v0.15.0
sdk/v0.16.0
sdk/v0.17.0
sdk/v0.18.0
sdk/v0.2.1
sdk/v0.3.0
sdk/v0.4.1
sdk/v0.5.0
sdk/v0.5.1
sdk/v0.5.3
sdk/v0.6.0
sdk/v0.6.1
sdk/v0.6.2
sdk/v0.7.0
sdk/v0.8.0
sdk/v0.9.0
sdk/v0.9.1
sdk/v0.9.2
v0.*
v0.1.0
v0.1.1
v0.1.2
v0.10.0
v0.10.0-rc1
v0.10.1
v0.10.2
v0.10.3
v0.10.4
v0.11.0
v0.11.0-beta1
v0.11.1
v0.11.2
v0.2.0
v0.2.0.rc1
v0.3.0
v0.3.0-rc
v0.3.1
v0.4.0
v0.4.0-rc1
v0.5.0
v0.5.0-rc1
v0.5.0-rc1.1
v0.5.0-rc1.2
v0.5.0-rc2
v0.5.1
v0.5.2
v0.6.0
v0.6.0-beta1
v0.6.0-beta2
v0.6.0-rc1
v0.6.0-rebuild
v0.6.1
v0.6.1-rc1
v0.6.1-rc2
v0.6.1-rc3
v0.6.2
v0.6.3
v0.6.4
v0.6.5
v0.7.0
v0.7.0-beta1
v0.7.1
v0.7.2
v0.7.3
v0.8.0
v0.8.0-beta1
v0.8.0-rc1
v0.8.1
v0.8.2
v0.8.3
v0.9.0
v0.9.1
v0.9.2
v0.9.4
v0.9.5
v0.9.6
v1.*
v1.0.0
v1.0.0-beta1
v1.0.0-beta2
v1.0.0-rc1
v1.0.1
v1.0.2
v1.0.3
v1.1.0
v1.1.0-beta1
v1.1.0-beta2
v1.1.1
v1.2.0
v1.2.0-beta1
v1.2.0-beta2
v1.2.0-rc1
v1.20.0
v1.20.0-rc1
v1.20.0-rc2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-6004.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "1.13.0"
            },
            {
                "fixed": "1.16.23"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "1.17.0"
            },
            {
                "fixed": "1.18.12"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "1.19.0"
            },
            {
                "fixed": "1.19.7"
            }
        ]
    }
]