CVE-2025-6014 - Vulnerability Details

Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Hashicorp	Vault Vault Enterprise

No data.

References

Link	Providers
https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036
https://github.com/advisories/GHSA-qv3p-fmv3-9hww
https://nvd.nist.gov/vuln/detail/CVE-2025-6014
https://www.cve.org/CVERecord?id=CVE-2025-6014

History

Mon, 04 Aug 2025 12:15:00 +0000

Type	Values Removed	Values Added
References		https://github.com/advisories/GHSA-qv3p-fmv3-9hww https://nvd.nist.gov/vuln/detail/CVE-2025-6014 https://www.cve.org/CVERecord?id=CVE-2025-6014
Metrics	threat_severity `None`	threat_severity `Moderate`

Mon, 04 Aug 2025 09:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hashicorp Hashicorp vault Hashicorp vault Enterprise
Vendors & Products		Hashicorp Hashicorp vault Hashicorp vault Enterprise

Fri, 01 Aug 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 01 Aug 2025 18:00:00 +0000

Type	Values Removed	Values Added
Description		Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
Title		Vault TOTP Secrets Engine Code Reuse
Weaknesses		CWE-156
References		https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published: 2025-08-01T17:50:09.308Z

Updated: 2025-08-01T18:05:37.553Z

Reserved: 2025-06-11T19:02:59.572Z

Link: CVE-2025-6014

Vulnrichment

Updated: 2025-08-01T18:05:31.317Z

NVD

Status : Awaiting Analysis

Published: 2025-08-01T18:15:56.853

Modified: 2025-08-04T15:06:15.833

Link: CVE-2025-6014

Redhat

Severity : Moderate

Publid Date: 2025-08-01T17:50:09Z

Links: CVE-2025-6014 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object