CVE-2025-6014
published 2025-08-01CVE-2025-6014: Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault…
PriorityP339medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.34%
25.9th percentile
Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.vikunja.io | api | >= 0.13 | — |
| github.com | hashicorp_vault | >= 0 < 1.20.1 | 1.20.1 |
| github.com | openbao_openbao | >= 0 < 0.0.0-20250806193153-183891f8d535 | 0.0.0-20250806193153-183891f8d535 |
| github.com | openbao_openbao | >= 0.1.0 < 2.3.2 | 2.3.2 |
| hashicorp | vault | < 1.16.23 | 1.16.23 |
| hashicorp | vault | < 1.20.1 | 1.20.1 |
| hashicorp | vault | — | — |
| hashicorp | vault | >= 1.17.0 < 1.18.12 | 1.18.12 |
| hashicorp | vault | >= 1.19.0 < 1.19.7 | 1.19.7 |
| hashicorp | vault_enterprise | < 1.20.1 | 1.20.1 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
ghsa6.5MEDIUM
osv6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Vikunja has TOTP Reuse During Validity Window
ghsa·2026-03-20·CVSS 5.7
CVE-2026-33473 [MEDIUM] CWE-287 Vikunja has TOTP Reuse During Validity Window
Vikunja has TOTP Reuse During Validity Window
### Summary
Any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window.
### Details
The below code is called when a user that has 2FA is authenticating to the application. Once they submit a valid username-password-totp combination, the user gets authenticated. If that same TOTP is used for the same user's account again within the validity window, it will allow the other session to authenticate successfully.
**Source**: pkg/user/totp.go:128
```go
// ValidateTOTPPasscode validated totp codes of users.
func ValidateTOTPPasscode(s *xorm.Session, passcode *TOTPPasscode) (t *TOTP, err error) {
t, err = GetTOTPForUser(s, passcode.User)
if err != nil {
return
}
if !totp.Validate(passcode.Passcode, t.Secr
OSV
Vikunja has TOTP Reuse During Validity Window
osv·2026-03-20·CVSS 5.7
CVE-2026-33473 [MEDIUM] Vikunja has TOTP Reuse During Validity Window
Vikunja has TOTP Reuse During Validity Window
### Summary
Any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window.
### Details
The below code is called when a user that has 2FA is authenticating to the application. Once they submit a valid username-password-totp combination, the user gets authenticated. If that same TOTP is used for the same user's account again within the validity window, it will allow the other session to authenticate successfully.
**Source**: pkg/user/totp.go:128
```go
// ValidateTOTPPasscode validated totp codes of users.
func ValidateTOTPPasscode(s *xorm.Session, passcode *TOTPPasscode) (t *TOTP, err error) {
t, err = GetTOTPForUser(s, passcode.User)
if err != nil {
return
}
if !totp.Validate(passcode.Passcode, t.Secr
OSV
Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse in github.com/hashicorp/vault
osv·2025-08-11
CVE-2025-6014 Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse in github.com/hashicorp/vault
Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse in github.com/hashicorp/vault
Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse in github.com/hashicorp/vault
OSV
OpenBao TOTP Secrets Engine Code Reuse
osv·2025-08-08·CVSS 6.5
CVE-2025-55000 [MEDIUM] OpenBao TOTP Secrets Engine Code Reuse
OpenBao TOTP Secrets Engine Code Reuse
### Impact
OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library.
### Patches
OpenBao v2.3.2 will patch this issue.
In patching, codes which were not normalized (strictly N numeric digits) will now be rejected. This is a potentially breaking change.
### Workarounds
TOTP code verification is a privileged action; only trusted systems should be verifying codes. Ensure that all codes are first normalized before submitting to the OpenBao endpoint.
### References
This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:
- https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-cod
GHSA
OpenBao TOTP Secrets Engine Code Reuse
ghsa·2025-08-08·CVSS 6.5
CVE-2025-55000 [MEDIUM] CWE-156 OpenBao TOTP Secrets Engine Code Reuse
OpenBao TOTP Secrets Engine Code Reuse
### Impact
OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library.
### Patches
OpenBao v2.3.2 will patch this issue.
In patching, codes which were not normalized (strictly N numeric digits) will now be rejected. This is a potentially breaking change.
### Workarounds
TOTP code verification is a privileged action; only trusted systems should be verifying codes. Ensure that all codes are first normalized before submitting to the OpenBao endpoint.
### References
This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:
- https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-cod
GHSA
Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse
ghsa·2025-08-01
CVE-2025-6014 [MEDIUM] CWE-156 Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse
Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse
Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
OSV
Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse
osv·2025-08-01
CVE-2025-6014 [MEDIUM] Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse
Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse
Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
Red Hat
github.com/hashicorp/vault: Vault TOTP Secrets Engine Code Reuse
vendor_redhat·2025-08-01·CVSS 6.5
CVE-2025-6014 [MEDIUM] CWE-156 github.com/hashicorp/vault: Vault TOTP Secrets Engine Code Reuse
github.com/hashicorp/vault: Vault TOTP Secrets Engine Code Reuse
Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
A flaw was found in github.com/hashicorp/vault. The Time-based One-Time Password Secrets Engine's (TOTP) validation endpoint allows code reuse during its validity period, enabling a remote attacker to potentially leverage existing, valid TOTP secrets. This vulnerability allows an attacker to authenticate as a user without providing a valid TOTP code, resulting in unauthorized access to resources protected by the TOTP Secrets Engine.
Mitigation: Mitigation for this issue is either not ava
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-08-01
Published