CVE-2025-6014Improper Neutralization of Whitespace in Vault Enterprise

CWE-156Improper Neutralization of WhitespaceCWE-287Improper Authentication9 documents4 sources
Severity
6.5MEDIUMNVD
GHSA5.7OSV5.7
EPSS
0.1%
top 84.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Hashicorp Vault EnterpriseGithub.com Hashicorp VaultGithub.com Openbao Openbao+2 more
Timeline
PublishedAug 1
Latest updateMar 20

Description

Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

CVEListV5hashicorp/vault_enterprise< 1.20.1
NVDhashicorp/vault1.17.01.18.12+4
Gogithub.com/openbao_openbao0.1.02.3.2+1

🔴Vulnerability Details

7
GHSA
Vikunja has TOTP Reuse During Validity Window2026-03-20
OSV
Vikunja has TOTP Reuse During Validity Window2026-03-20
OSV
Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse in github.com/hashicorp/vault2025-08-11
OSV
OpenBao TOTP Secrets Engine Code Reuse2025-08-08
GHSA
OpenBao TOTP Secrets Engine Code Reuse2025-08-08

📋Vendor Advisories

1
Red Hat
github.com/hashicorp/vault: Vault TOTP Secrets Engine Code Reuse2025-08-01