CVE-2025-6004: Hashicorp Vault has Lockout Feature Authentication Bypass

August 1, 2025

Vault and Vault Enterprise’s (“Vault”) user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

References

discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035
github.com/advisories/GHSA-qgj7-fmq2-6cc4
github.com/hashicorp/vault
nvd.nist.gov/vuln/detail/CVE-2025-6004

Code Behaviors & Features

Detect and mitigate CVE-2025-6004 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →