CVE-2025-6015: 
HashiCorp Vault vulnerability analysis and mitigation

A vulnerability was discovered in HashiCorp Vault and Vault Enterprise's login MFA system where rate limits could be bypassed and TOTP (Time-based One-Time Password) tokens could be reused. The vulnerability, identified as CVE-2025-6015, affects Vault Community Edition versions from 1.10.0 up to 1.20.0 and Vault Enterprise versions from 1.10.0 up to 1.20.0, 1.19.6, 1.18.11, 1.16.22, and 1.15.15 (HashiCorp Discussion).

The vulnerability stems from Vault's login MFA system not correctly normalizing TOTP codes before enforcing the once-per-validity-window check. This implementation flaw could allow attackers to resubmit previously used codes during the MFA check. The issue has been assigned a CVSS v3.1 base score of 5.7 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-307 (Improper Restriction of Excessive Authentication Attempts) (Red Hat Security).

The vulnerability allows remote attackers to bypass authentication security measures by reusing TOTP tokens during the authentication process. Successful exploitation could lead to unauthorized access to protected resources through the repeated use of TOTP tokens that should have been valid only once (Red Hat Security).

The vulnerability has been fixed in Vault Community Edition 1.20.1 and Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, and 1.16.23. The fix includes strict validation of TOTP code length and implementation of generic error messages for previously used passcodes. Organizations are strongly advised to upgrade to these patched versions (HashiCorp Discussion).

The vulnerability was responsibly disclosed by Yarden Porat of Cyata Security to HashiCorp, demonstrating effective coordination in vulnerability disclosure processes (HashiCorp Discussion).