CVE-2025-6014: 
HashiCorp Vault vulnerability analysis and mitigation

Vault and Vault Enterprise's TOTP (Time-based One-Time Password) Secrets Engine code validation endpoint was found to be susceptible to code reuse within its validity period. The vulnerability, identified as CVE-2025-6014, affects Vault Community Edition up to 1.20.0 and Vault Enterprise up to versions 1.20.0, 1.19.6, 1.18.11, and 1.16.22 (HashiCorp Discussion).

The vulnerability stems from the improper neutralization of whitespace (CWE-156) in the TOTP used code cache. Used code entries were not properly normalized, which made it possible to reuse existing codes by appending whitespace. The issue has a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows for the reuse of TOTP codes within their validity period, potentially compromising the security of two-factor authentication implementations using Vault's TOTP secrets engine (HashiCorp Discussion).

The vulnerability has been fixed in Vault Community Edition 1.20.1 and Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, and 1.16.23. The fix implements strict checking of TOTP code length based on the configured key length. Organizations are advised to upgrade to these patched versions (HashiCorp Discussion).

The vulnerability was responsibly disclosed by Yarden Porat of Cyata Security to HashiCorp, demonstrating effective coordination in vulnerability disclosure practices (HashiCorp Discussion).