GHSA-qv3p-fmv3-9hww
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qv3p-fmv3-9hww
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-qv3p-fmv3-9hww/GHSA-qv3p-fmv3-9hww.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-qv3p-fmv3-9hww
- Aliases
-
- CVE-2025-6014
- Downstream
- Published
- 2025-08-01T18:31:19Z
- Modified
- 2025-08-01T21:57:24.941505Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse
- Details
-
Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
- Database specific
{ "nvd_published_at": "2025-08-01T18:15:56Z", "github_reviewed": true, "github_reviewed_at": "2025-08-01T21:08:57Z", "severity": "MODERATE", "cwe_ids": [ "CWE-156" ] }- References
Affected packages
Go / github.com/hashicorp/vault
Package
- Name
- github.com/hashicorp/vault
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/hashicorp/vault