CVE-2025-6015Improper Restriction of Excessive Authentication Attempts in Vault Enterprise

CWE-307Improper Restriction of Excessive Authentication Attempts7 documents4 sources
Severity
5.7MEDIUMNVD
EPSS
0.0%
top 93.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Hashicorp Vault EnterpriseGithub.com Hashicorp VaultGithub.com Openbao Openbao+1 more
Timeline
PublishedAug 1
Latest updateAug 11

Description

Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:NExploitability: 2.1 | Impact: 3.6

Affected Packages4 packages

CVEListV5hashicorp/vault_enterprise1.10.01.20.1
NVDhashicorp/vault1.10.01.16.23+4
Gogithub.com/hashicorp_vault1.10.01.20.1
Gogithub.com/openbao_openbao0.1.02.3.2+1

🔴Vulnerability Details

5
OSV
Hashicorp Vault has Login MFA Rate Limit Bypass Vulnerability in github.com/hashicorp/vault2025-08-11
OSV
OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse2025-08-08
GHSA
OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse2025-08-08
GHSA
Hashicorp Vault has Login MFA Rate Limit Bypass Vulnerability2025-08-01
OSV
Hashicorp Vault has Login MFA Rate Limit Bypass Vulnerability2025-08-01

📋Vendor Advisories

1
Red Hat
github.com/hashicorp/vault: Vault TOTP Rate Limit Bypass2025-08-01