LDAP Authentication Flaw in HashiCorp Vault and Vault Enterprise
CVE-2025-6013

6.5MEDIUM

Key Information:

Vendor: Hashicorp
Status: Vault; Vault Enterprise
Vendor: CVE Published:; 6 August 2025

What is CVE-2025-6013?

The LDAP authentication method in Vault and Vault Enterprise may allow for an MFA enforcement bypass when the 'username_as_alias' feature is enabled. This issue arises particularly when user accounts contain multiple common names (CNs) that only differ by leading or trailing whitespace. As a result, users may not be prompted for multi-factor authentication as expected, potentially exposing sensitive resources. The issue has been addressed in recent updates to the respective versions of Vault.

Affected Version(s)

Vault 64 bit 1.10.0 < 1.20.2

Vault Enterprise 64 bit 1.10.0 < 1.20.2

References

https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 6, 2025
Vulnerability Reserved
Jun 11, 2025

Hashicorp

What is CVE-2025-6013?

Affected Version(s)

References

CVSS V3.1

Timeline