BIT-vault-2025-6011
Observable Discrepancy vulnerability in vault (Go)
What is BIT-vault-2025-6011 About?
Hashicorp Vault has an observable discrepancy between existing and non-existing users. This allows an attacker to enumerate valid user accounts on the system, which can aid in brute-force or social engineering attacks. Exploitation relies on distinguishing specific responses.
Affected Software
Technical Details
The Hashicorp Vault system exhibits an 'Observable Discrepancy' in its responses when an attacker queries for an existing user versus a non-existing user. This means that the error messages, response timings, or other observable characteristics (e.g., HTTP status codes, specific error messages) differ subtly between these two scenarios. By analyzing these discrepant responses, an attacker can distinguish between valid and invalid usernames, enabling them to enumerate existing user accounts within the Vault system without needing to successfully authenticate.
What is the Impact of BIT-vault-2025-6011?
Successful exploitation may allow attackers to enumerate valid usernames, which can be used to facilitate brute-force attacks, credential stuffing, or social engineering targeting legitimate users.
What is the Exploitability of BIT-vault-2025-6011?
Exploitation is of low complexity and typically requires no authentication, as the discrepancy often occurs during the initial authentication phase (e.g., login attempts). There are no specific privilege requirements for this type of information leakage. This is primarily a remote vulnerability, as an attacker can send repeated requests over the network to observe the differing responses. The main prerequisite is a publicly accessible Vault interface that provides these distinct responses. The ability to differentiate responses for existing vs. non-existing users significantly increases the likelihood of an attacker successfully compiling a list of valid user accounts.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-vault-2025-6011?
Available Upgrade Options
- github.com/hashicorp/vault
- <1.20.1 → Upgrade to 1.20.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2025-6011
- https://osv.dev/vulnerability/GHSA-mwgr-84fv-3jh9
- https://github.com/hashicorp/vault
- https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034
- https://github.com/advisories/GHSA-mwgr-84fv-3jh9
- https://osv.dev/vulnerability/GO-2025-3839
- https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034
What are Similar Vulnerabilities to BIT-vault-2025-6011?
Similar Vulnerabilities: CVE-2021-26270 , CVE-2020-19904 , CVE-2020-13936 , CVE-2022-44648 , CVE-2022-26136
