VDB

HCSEC-2025-21

HCSEC-2025-21 PUBLISHED

**Bulletin ID:** HCSEC-2025-21 **Affected Products / Versions:** Vault Community from 1.13.0 up to 1.20.2. Vault Enterprise from 1.13.0 up to 1.20.2, 1.19.8, 1.18.13, and 1.16.24. **Publication Date:** August 6, 2025 **Summary** Vault Community and Vault Enterprise’s (“Vault”) userpass method is affected by a user enumeration vulnerability. This may allow an attacker to enumerate valid usernames on this auth method through brute force or a list of known usernames. CVE-2025-6010 was reserved by HashiCorp to track this issue, which will be fixed in an upcoming Vault release. **Background** Vault’s [userpass auth method](https://developer.hashicorp.com/vault/docs/auth/userpass) allows users to authenticate to Vault using a username and password combination. **Remediation** As of the time of publication, this issue is not fixed in a released version of Vault Community or Vault Enterprise. This bulletin will be updated when a fixed version is released. While we believe this is a low-risk issue, customers who wish to reduce the impact of this vulnerability should consider using [rate-limit quotas](https://developer.hashicorp.com/vault/docs/configuration/identity-based-rate-limit) (see below) in Vault or enabling network level controls for rate limiting that restrict access to Vault. Customers may also consider enforcing [login MFA](https://developer.hashicorp.com/vault/docs/auth/login-mfa) for the userpass auth mounts. ``` vault write sys/quotas/rate-limit/userpass-auth-ratelimit \ name="userpass-auth-ratelimit" \ path="namespace1/auth/userpass*" \ rate=10 \ interval="1m" \ block_interval="5m" ``` Refer to the [create a rate limit quota](https://developer.hashicorp.com/vault/docs/configuration/create-rate-limit-quota) documentation other examples. **Acknowledgement** This issue was identified by Yarden Porat of Cyata Security who reported it to HashiCorp. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*

Timeline

  • Aug 6, 2025 CVE Published

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›