Wiz
Vulnerability DatabaseCVE-2025-5999

CVE-2025-5999
HashiCorp Vault vulnerability analysis and mitigation

Overview

CVE-2025-5999 is a privilege escalation vulnerability discovered in HashiCorp Vault that affects both Community and Enterprise editions. The vulnerability allows a privileged Vault operator with write permissions to the root namespace's identity endpoint to escalate their own or another user's token privileges to Vault's root policy. The issue was discovered by Yarden Porat of Cyata Security and was disclosed on August 1, 2025. The vulnerability affects Vault Community Edition from 0.10.4 up to 1.19.5 and Vault Enterprise from 0.10.4 up to various versions (HashiCorp Discussion).

Technical details

The vulnerability stems from incomplete input validation and normalization of policy names in Vault's identity secrets engine. The issue has been assigned a CVSS v3.1 base score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-266 (Incorrect Privilege Assignment) and only affects root namespace entities, not entities in namespaces including administrative namespaces (NVD).

Impact

If exploited, this vulnerability allows attackers to elevate token privileges to Vault's root policy, effectively gaining the highest level of access within the system. The impact is particularly significant as it affects the root namespace, though it notably does not affect HCP Vault Dedicated due to its use of administrative namespaces (HashiCorp Discussion).

Mitigation and workarounds

The vulnerability has been fixed in Vault Community Edition 1.20.0 and Vault Enterprise versions 1.20.0, 1.19.6, 1.18.11, and 1.16.22. Organizations are advised to upgrade to these patched versions. Alternatively, Sentinel EGP policies can be implemented as a workaround. Detection of exploitation is possible by monitoring Vault audit logs for requests containing 'root' inside the 'identity_policies' array (HashiCorp Discussion).

Community reactions

The vulnerability has gained significant attention in the cybersecurity community, particularly as it was discovered alongside other critical vulnerabilities in enterprise secure vaults. Security researchers have highlighted how this vulnerability, when combined with others, demonstrates how authentication, policy enforcement, and plugin execution can be subverted through logic bugs (Hacker News).

Additional resources

SourceThis report was generated using AI

Related HashiCorp Vault vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-63811HIGH7.5
  • HashiCorp VaultHashiCorp Vault
  • telegraf-1.34
NoYesNov 12, 2025
CVE-2025-61725HIGH7.5
  • cAdvisorcAdvisor
  • thanos-operator-fips
NoYesOct 29, 2025
CVE-2025-58181MEDIUM5.3
  • cAdvisorcAdvisor
  • eksctl
NoYesNov 19, 2025
CVE-2025-47914MEDIUM5.3
  • cAdvisorcAdvisor
  • argocd-fips-3.2
NoYesNov 19, 2025
CVE-2025-61724MEDIUM5.3
  • cAdvisorcAdvisor
  • dockerize
NoYesOct 29, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo