Wiz
Vulnerability DatabaseCVE-2025-6013

CVE-2025-6013
HashiCorp Vault vulnerability analysis and mitigation

Overview

A vulnerability (CVE-2025-6013) was discovered in HashiCorp Vault and Vault Enterprise's LDAP authentication method. The issue affects versions from 1.10.0 up to 1.20.1, where MFA enforcement could be bypassed when usernameasalias was set to true and a user had multiple CNs that are equal but contained leading or trailing spaces. The vulnerability was disclosed on August 6, 2025, and has been assigned a CVSS v3.1 base score of 6.5 (Medium) (HashiCorp Discussion, NVD).

Technical details

The vulnerability stems from inconsistencies in string normalization when handling LDAP usernames containing additional whitespaces. While these usernames may be valid and authenticate successfully after normalization by the LDAP backend, the Vault LDAP auth method would set the entity alias name using the raw user input rather than the normalized user DN information returned by the LDAP directory. This inconsistency in handling strings with additional spaces resulted in entity alias names and potentially duplicate entity alias IDs, which could lead to MFA enforcement being bypassed. The issue has been classified under CWE-156 (Improper Neutralization of Whitespace) (HashiCorp Discussion).

Impact

The vulnerability could allow attackers to bypass Multi-Factor Authentication (MFA) enforcement in specific configurations where usernameasalias is enabled and users have multiple CNs with leading or trailing spaces. This could potentially lead to unauthorized access to protected resources that should require MFA verification (HashiCorp Discussion).

Mitigation and workarounds

The vulnerability has been fixed in Vault Community Edition 1.20.2 and Vault Enterprise versions 1.20.2, 1.19.8, 1.18.13, and 1.16.24. Organizations are advised to evaluate their risk and upgrade to these patched versions. The fix addresses the string normalization issues in the LDAP authentication method (HashiCorp Discussion).

Community reactions

The vulnerability was responsibly disclosed by Yarden Porat of Cyata Security to HashiCorp, demonstrating effective coordination in vulnerability disclosure practices (HashiCorp Discussion).

Additional resources

SourceThis report was generated using AI

Related HashiCorp Vault vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-6203HIGH7.5
  • HashiCorp VaultHashiCorp Vault
  • splunk-otel-collector-fips
NoYesAug 28, 2025
CVE-2025-6037MEDIUM6.8
  • HashiCorp VaultHashiCorp Vault
  • vault
NoYesAug 01, 2025
CVE-2025-6013MEDIUM6.5
  • HashiCorp VaultHashiCorp Vault
  • github.com/hashicorp/vault
NoYesAug 06, 2025
CVE-2025-6016N/AN/A
  • HashiCorp VaultHashiCorp Vault
  • cpe:2.3:a:hashicorp:vault
NoYesAug 07, 2025
CVE-2025-6010MEDIUMN/A
  • HashiCorp VaultHashiCorp Vault
  • cpe:2.3:a:hashicorp:vault
NoYesAug 07, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo