CVE-2025-6011

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2025-6011

Severity

3.7

Low

CVSS V3

Description

A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

References

https://images.chainguard.dev/security/CGA-hpvg-w5xf-q7q4
https://github.com/advisories/GHSA-mwgr-84fv-3jh9
https://images.chainguard.dev/security/CGA-v8gw-mhx8-7grv
https://images.chainguard.dev/security/CGA-wh79-v7xh-9qcc
https://images.chainguard.dev/security/CGA-7c4c-9fw3-jcq2
https://images.chainguard.dev/security/CGA-588h-pvx2-p8wc
https://images.chainguard.dev/security/CGA-gpxc-62hm-mwwv
https://images.chainguard.dev/security/CGA-3ffw-pm4v-8cq7
https://images.chainguard.dev/security/CGA-x2c9-xp47-p254
https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

The trusted source for open source

Talk to an expert

Privacy

Terms

CVE-2025-6011

Severity

Description

References

Affected packages

The trusted source for open source

Product

Solutions

Customers

Resources

Company