CVE-2025-6011
published 2025-08-01CVE-2025-6011: A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing…
PriorityP416low3.7CVSS 3.1
AVNACHPRNUINSUCLINAN
EPSS
0.31%
22.3th percentile
A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_vault | >= 0 < 1.20.1 | 1.20.1 |
| github.com | openbao_openbao | >= 0 < 0.0.0-20250806193356-4d9b5d3d6486 | 0.0.0-20250806193356-4d9b5d3d6486 |
| github.com | openbao_openbao | >= 0.1.0 < 2.3.2 | 2.3.2 |
| hashicorp | vault | < 1.16.23 | 1.16.23 |
| hashicorp | vault | < 1.20.1 | 1.20.1 |
| hashicorp | vault | — | — |
| hashicorp | vault | >= 1.17.0 < 1.18.12 | 1.18.12 |
| hashicorp | vault | >= 1.19.0 < 1.19.7 | 1.19.7 |
| hashicorp | vault_enterprise | < 1.20.1 | 1.20.1 |
CVSS provenance
nvdv3.13.7LOWCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
ghsa3.7LOW
osv3.7LOW
vendor_redhat3.7LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users in github.com/hashicorp/vault
osv·2025-08-11
CVE-2025-6011 Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users in github.com/hashicorp/vault
Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users in github.com/hashicorp/vault
Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users in github.com/hashicorp/vault
GHSA
OpenBao has a Timing Side-Channel in the Userpass Auth Method
ghsa·2025-08-08·CVSS 3.7
CVE-2025-54999 [LOW] CWE-203 OpenBao has a Timing Side-Channel in the Userpass Auth Method
OpenBao has a Timing Side-Channel in the Userpass Auth Method
### Impact
When using OpenBao's `userpass` auth method, user enumeration was possible due to timing difference between non-existent users and users with stored credentials. This is independent of whether the supplied credentials were valid for the given user.
### Patches
OpenBao v2.3.2 will patch this issue.
### Workarounds
Users may use another auth method or apply rate limiting quotas to limit the number of requests in a period of time: https://openbao.org/api-docs/system/rate-limit-quotas/
### References
This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:
- https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034
- https://nvd.ni
OSV
OpenBao has a Timing Side-Channel in the Userpass Auth Method
osv·2025-08-08·CVSS 3.7
CVE-2025-54999 [LOW] OpenBao has a Timing Side-Channel in the Userpass Auth Method
OpenBao has a Timing Side-Channel in the Userpass Auth Method
### Impact
When using OpenBao's `userpass` auth method, user enumeration was possible due to timing difference between non-existent users and users with stored credentials. This is independent of whether the supplied credentials were valid for the given user.
### Patches
OpenBao v2.3.2 will patch this issue.
### Workarounds
Users may use another auth method or apply rate limiting quotas to limit the number of requests in a period of time: https://openbao.org/api-docs/system/rate-limit-quotas/
### References
This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:
- https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034
- https://nvd.ni
GHSA
Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users
ghsa·2025-08-01
CVE-2025-6011 [LOW] CWE-203 Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users
Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users
A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
OSV
Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users
osv·2025-08-01
CVE-2025-6011 [LOW] Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users
Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users
A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
Red Hat
github.com/hashicorp/vault: Vault Userpass Authentication Timing Vulnerability
vendor_redhat·2025-08-01·CVSS 3.7
CVE-2025-6011 [LOW] CWE-203 github.com/hashicorp/vault: Vault Userpass Authentication Timing Vulnerability
github.com/hashicorp/vault: Vault Userpass Authentication Timing Vulnerability
A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
A flaw was found in github.com/hashicorp/vault. The Userpass authentication method exhibits a timing vulnerability, allowing an attacker to determine whether a username exists within Vault by measuring response times, and enables potential enumeration of valid usernames. This vulnerability allows a network-based attacker to exploit this side channel to infer user presence without
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-08-01
Published