Timing Side-Channel in Vault’s Userpass Auth Method

August 1, 2025 invoker category_cve

CVE Details

Basic Information

Title Timing Side-Channel in Vault’s Userpass Auth Method
Type cve
Published 2025-08-01T18:00:24.528Z
Modified 2025-08-01T19:06:58.251Z

Product Information

Vendor HashiCorp
Product Vault
Version 0

CVSS Information

Base Score 3.7 (LOW)
Attack Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected Products

  • HashiCorp Vault 0
  • HashiCorp Vault Enterprise 0

Additional Information

CWE List CWE-203
Source HashiCorp

Description

A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.