CVE-2025-6014: Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse

August 1, 2025

Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

References

discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036
github.com/advisories/GHSA-qv3p-fmv3-9hww
github.com/hashicorp/vault
nvd.nist.gov/vuln/detail/CVE-2025-6014

Code Behaviors & Features

Detect and mitigate CVE-2025-6014 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →