Low severityNVD Advisory· Published Aug 1, 2025· Updated Aug 1, 2025
Timing Side-Channel in Vault’s Userpass Auth Method
CVE-2025-6011
Description
A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/vaultGo | < 1.20.1 | 1.20.1 |
Affected products
11- osv-coords9 versionspkg:apk/chainguard/splunk-otel-collectorpkg:apk/chainguard/splunk-otel-collector-fipspkg:apk/wolfi/splunk-otel-collectorpkg:bitnami/vaultpkg:golang/github.com/hashicorp/vaultpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/openbao&distro=openSUSE%20Tumbleweedpkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
< 0.138.0-r0+ 8 more
- (no CPE)range: < 0.138.0-r0
- (no CPE)range: < 0.138.0-r1
- (no CPE)range: < 0.138.0-r0
- (no CPE)range: < 1.20.1
- (no CPE)range: < 1.20.1
- (no CPE)range: < 0.0.20250814T182633-150000.1.98.1
- (no CPE)range: < 0.0.20250811T192933-1.1
- (no CPE)range: < 2.3.2-1.1
- (no CPE)range: < 0.0.20250814T182633-150000.1.98.1
- Range: 0
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.