CVE-2025-6014

Summary

Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Affected Software

VendorProductVersion RangeStatus
HashiCorpVault0 < 1.20.1affected
HashiCorpVault Enterprise0 < 1.20.1affected

Weaknesses

  • CWE-156: CWE-156: Improper Neutralization of Whitespace

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References