CVE-2025-6015

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-6015

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-6015.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-6015

Aliases

BIT-vault-2025-6015
GHSA-v6r4-35f9-9rpw
GO-2025-3842

Downstream

MINI-4h2r-8vqr-96qf

Published

2025-08-01T18:15:57Z

Modified

2025-08-13T20:32:14Z

Summary

[none]

Details

Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

References

https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038

Affected packages

Git / github.com/hashicorp/vault

Affected ranges

Type: GIT
Repo: https://github.com/hashicorp/vault
Events: Introduced

7738ec5d0d6f5bf94a809ee0f6ff0142cfa525a6

Fixed

b403b1a27c8db6038ffefb296d7be0962e08039d