Vault Userpass Auth Timing Side Channel Username Enumeration
CVE-2025-6011 Published on August 1, 2025
Timing Side-Channel in Vault’s Userpass Auth Method
A timing side channel in Vault and Vault Enterprises (Vault) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vaults Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
Weakness Type
What is a Side Channel Attack Vulnerability?
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. Discrepancies can take many forms, and variations may be detectable in timing, control flow, communications such as replies or requests, or general behavior. These discrepancies can reveal information about the product's operation or internal state to an unauthorized actor. In some cases, discrepancies can be used by attackers to form a side channel.
CVE-2025-6011 has been classified to as a Side Channel Attack vulnerability or weakness.
Products Associated with CVE-2025-6011
Want to know whenever a new CVE is published for HashiCorp Vault? stack.watch will email you.
Affected Versions
HashiCorp Vault:- Before 1.20.1 is affected.
- Before 1.20.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.