Vault Login MFA Bypass of Rate Limiting and TOTP Code...

5.7 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Description

Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Basic Information

ID CVE-2025-6015

Source HashiCorp

Published Aug 1, 2025 at 18:03

Modified Aug 1, 2025 at 18:35

Affected Product

Vendor HashiCorp

Product Vault

Version 1.10.0

Affected Versions HashiCorp Vault 1.10.0
HashiCorp Vault Enterprise 1.10.0

CWE Classification

CWE-307

References

discuss.hashicorp.com /t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038

{
    "lastseen": "",
    "description": "Vault and Vault Enterprise\u2019s (\u201cVault\u201d) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.",
    "published": "2025-08-01T18:03:53.214Z",
    "modified": "2025-08-01T18:35:17.893Z",
    "type": "cve",
    "title": "Vault Login MFA Bypass of Rate Limiting and TOTP Code Reuse",
    "source": "HashiCorp",
    "references": "https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038",
    "id": "CVE-2025-6015",
    "bulletinFamily": "",
    "cwe": [
        "CWE-307"
    ],
    "cvelist": null,
    "sourceData": "HashiCorp Vault 1.10.0\nHashiCorp Vault Enterprise 1.10.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.7,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Vault",
    "version": "1.10.0",
    "vendor": "HashiCorp",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Vault Login MFA Bypass of Rate Limiting and TOTP Code Reuse_CVE-2025-6015