User Lockout Bypass in Vault by HashiCorp
CVE-2025-6004

5.3MEDIUM

Key Information:

Vendor: Hashicorp
Status: Vault; Vault Enterprise
Vendor: CVE Published:; 1 August 2025

What is CVE-2025-6004?

A vulnerability exists in HashiCorp's Vault and Vault Enterprise products that allows the user lockout feature to be bypassed when using Userpass and LDAP authentication methods. This means that attackers could potentially gain unauthorized access to user accounts, posing a significant security risk. The issue has been addressed in the latest versions, specifically Vault Community Edition 1.20.1 and Vault Enterprise versions 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Affected Version(s)

Vault 64 bit 1.13.0 < 1.20.1

Vault Enterprise 64 bit 1.13.0 < 1.20.1

References

https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userp...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 1, 2025
Vulnerability Reserved
Jun 11, 2025

Hashicorp

What is CVE-2025-6004?

Affected Version(s)

References

CVSS V3.1

Timeline