CVE-2025-6013

🗓️ 06 Aug 2025 10:06:55Reported by HashiCorpType

cve🔗 web.nvd.nist.gov📰️ 2 Media mentions👁 19 Views

Vault ldap auth method may not enforce MFA correctly with specific user cases, fixed in versions 1.20.2.

Reporter	Title	Published	Views	Family All 31
ATTACKERKB	CVE-2025-6013	6 Aug 202510:06	–	attackerkb
Chainguard	CVE-2025-6013 vulnerabilities	7 Jan 202601:30	–	cgr
Circl	CVE-2025-6013	8 Aug 202502:59	–	circl
CNNVD	HashiCorp Vault和HashiCorp Vault Enterprise 安全漏洞	6 Aug 202500:00	–	cnnvd
Cvelist	CVE-2025-6013 Vault LDAP MFA Enforcement Bypass When Using Username As Alias	6 Aug 202510:06	–	cvelist
EUVD	EUVD-2025-23817	3 Oct 202520:07	–	euvd
EUVD	EUVD-2025-24033	3 Oct 202520:07	–	euvd
Github Security Blog	HashiCorp Vault ldap auth method may not have correctly enforced MFA	6 Aug 202512:31	–	github
NVD	CVE-2025-6013	6 Aug 202510:15	–	nvd
OPENSUSE Linux	openbao-2.3.2-1.1 on GA media (moderate)	19 Aug 202500:00	–	opensuse

NVD

Node

hashicorp vaultRange1.10.0–1.15.16enterprise

hashicorp vaultRange1.10.0–1.20.2-

hashicorp vaultRange1.16.0–1.16.24enterprise

hashicorp vaultRange1.17.0–1.18.13enterprise

hashicorp vaultRange1.19.0–1.19.8enterprise

hashicorp vaultRange1.20.0–1.20.2enterprise

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "64 bit",
      "32 bit",
      "x86",
      "ARM",
      "MacOS",
      "Windows",
      "Linux"
    ],
    "product": "Vault",
    "repo": "https://github.com/hashicorp/vault",
    "vendor": "HashiCorp",
    "versions": [
      {
        "lessThan": "1.20.2",
        "status": "affected",
        "version": "1.10.0",
        "versionType": "semver"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "64 bit",
      "32 bit",
      "x86",
      "ARM",
      "MacOS",
      "Windows",
      "Linux"
    ],
    "product": "Vault Enterprise",
    "repo": "https://github.com/hashicorp/vault",
    "vendor": "HashiCorp",
    "versions": [
      {
        "changes": [
          {
            "at": "1.19.8",
            "status": "unaffected"
          },
          {
            "at": "1.18.13",
            "status": "unaffected"
          },
          {
            "at": "1.16.24",
            "status": "unaffected"
          }
        ],
        "lessThan": "1.20.2",
        "status": "affected",
        "version": "1.10.0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
discuss	www.discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092

15 Dec 2025 16:13Current

6.4Medium risk

Vulners AI Score6.4

CVSS 3.16.5 - 8.1

EPSS0.00163

SSVC

CWE-156