Low severityNVD Advisory· Published Aug 1, 2025· Updated Aug 1, 2025

Timing Side-Channel in Vault’s Userpass Auth Method

CVE-2025-6011

Description

A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/hashicorp/vaultGo	< 1.20.1	1.20.1

Affected products

Hashicorp/Vaultv5
Range: 0
HashiCorp/Vault Enterprisev5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-mwgr-84fv-3jh9ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-6011ghsaADVISORY
discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000