Security Advisory

CVE-2025-6011

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2025-08-01 18:00:24
Last updated 2025-08-01 19:06:58
Assigner HashiCorp
State PUBLISHED

Description

A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.