CVE-2025-5999: 
HashiCorp Vault vulnerability analysis and mitigation

CVE-2025-5999 is a privilege escalation vulnerability discovered in HashiCorp Vault that affects versions from 0.10.4 up to 1.19.5 in both Community and Enterprise editions. The vulnerability was discovered by Yarden Porat of Cyata Security and publicly disclosed on August 1, 2025. The issue allows privileged Vault operators with write permissions to the root namespace's identity endpoint to escalate their own or another user's token privileges to Vault's root policy (HashiCorp Discussion).

The vulnerability stems from incomplete input validation and normalization of policy names in Vault's identity secrets engine. The identity secrets engine is designed to map Vault clients (entities) to multiple authentication methods for managing authentication and authorization. The flaw specifically affects entities in the root namespace due to the way policy names are handled, while entities in other namespaces, including administrative namespaces, remain unaffected. This vulnerability does not impact HCP Vault Dedicated due to its use of administrative namespaces (HashiCorp Discussion).

The vulnerability allows privileged operators to escalate token privileges to Vault's root policy, effectively gaining the highest level of access within the system. When exploited, the elevated privileges persist for the remainder of the token's validity period. The impact is particularly significant as it affects the root namespace, though it does not extend to entities in other namespaces (HashiCorp Discussion).

HashiCorp has released fixes in multiple versions: Vault Community Edition 1.20.0 and Vault Enterprise versions 1.20.0, 1.19.6, 1.18.11, and 1.16.22. Organizations are advised to upgrade to these patched versions. As an alternative mitigation strategy, Sentinel EGP policies can be implemented. Organizations can also monitor their Vault audit logs for unauthorized privilege escalations (HashiCorp Discussion).