HCSEC-2025-19

**Bulletin ID:** HCSEC-2025-19 **Affected Products / Versions:** Vault Community Edition from 1.10.0 up to 1.20.0, fixed in 1.20.1. Vault Enterprise from 1.10.0 up to 1.20.0, 1.19.6, 1.18.11, 1.16.22, 1.15.15, fixed in 1.20.1, 1.19.7, 1.18.12, and 1.16.23. **Publication Date:** August 1, 2025 **Summary** Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. This vulnerability, CVE-2025-6015, is fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. **Background** Vault’s [login MFA](https://developer.hashicorp.com/vault/docs/auth/login-mfa) is the underlying identity system in Vault that supports multi-factor authentication for authentication to an auth method. Vault supports various login MFA types, including TOTP. Vault prevents the same TOTP code from being used multiple times within its validity period. **Details** Vault’s login MFA did not correctly normalize TOTP codes prior to enforcing the once-per-validity-window check, potentially allowing an attacker to resubmit a previously used code during the MFA check. Vault will now strictly validate the length of the provided TOTP code.The TOTP validation will now return a generic error if the passcode was already used. **Remediation** Customers should evaluate the risk associated with this issue and consider upgrading to Vault Community Edition 1.20.1 or Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. Please refer to [Upgrading Vault](https://developer.hashicorp.com/vault/docs/upgrading) for general guidance. **Acknowledgement** This issue was identified by Yarden Porat of Cyata Security who reported it to HashiCorp. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*