CVE-2025-6011: 
HashiCorp Vault vulnerability analysis and mitigation

A timing side channel vulnerability (CVE-2025-6011) was discovered in HashiCorp Vault and Vault Enterprise's userpass authentication method. The vulnerability was disclosed on August 1, 2025, affecting Vault Community Edition up to 1.20.0 and Vault Enterprise up to versions 1.20.0, 1.19.6, 1.18.11, and 1.16.22. This security flaw allowed attackers to distinguish between existing and non-existing users, potentially enabling the enumeration of valid usernames within Vault's userpass authentication system (HashiCorp Discussion).

The vulnerability stems from a flawed implementation of timing attack mitigation in the userpass authentication method. While Vault attempted to prevent timing-based information leaks by using bcrypt with a placeholder string for non-existent usernames, the CompareHashAndPassword function would exit early if the hash format was invalid. This implementation weakness could be exploited to determine valid usernames. The vulnerability has been assigned a CVSS v3.1 base score of 3.7 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating a network-accessible vulnerability requiring high attack complexity with no privileges or user interaction required (NVD).

The vulnerability allows attackers to potentially enumerate valid usernames in Vault's userpass authentication method through timing analysis. This information disclosure could be used as a stepping stone for further attacks by identifying valid user accounts within the system (HashiCorp Discussion).

HashiCorp has released patches to address this vulnerability. Users should upgrade to Vault Community Edition 1.20.1 or Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, or 1.16.23, depending on their current version. Organizations are advised to evaluate the risk and follow the general guidance provided in the Vault upgrading documentation (HashiCorp Discussion).