CVE-2025-6004: 
HashiCorp Vault vulnerability analysis and mitigation

Vault and Vault Enterprise's user lockout feature contained a vulnerability (CVE-2025-6004) that could be bypassed for Userpass and LDAP authentication methods. The vulnerability affects Vault Community Edition versions from 1.13.0 up to 1.20.0 and Vault Enterprise from 1.13.0 up to various versions. This issue was discovered by Yarden Porat of Cyata Security and reported to HashiCorp (HashiCorp Discussion).

The vulnerability stems from improper normalization of entity aliases in Vault's user lockout mechanism. Attackers could bypass the lockout mechanism by varying character cases in usernames when an authentication method wasn't configured to be case sensitive. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (AttackerKB).

The vulnerability allows attackers to circumvent the user lockout security feature, potentially enabling unlimited authentication attempts through brute-force attacks. This particularly affects systems using Userpass and LDAP authentication methods, where the lockout mechanism serves as a critical security control against credential stuffing and password guessing attacks (GBHackers).

HashiCorp has released fixes in Vault Community Edition 1.20.1 and Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, and 1.16.23. The fix ensures proper normalization of entity aliases and preserves case sensitivity for LDAP auth mounts with the casesensitivenames parameter set. Organizations are advised to evaluate their risk and consider implementing rate-limit quotas or upgrading to the patched versions (HashiCorp Discussion).