Primary

Context

HashiCorp Vault and Vault Enterprise MFA Rate Limit Bypass and TOTP Token Reuse Vulnerability

Vulnerability

Patched

A vulnerability exists in HashiCorp Vault and Vault Enterprise that allows for bypassing login multi-factor authentication (MFA) rate limits and reusing Time-based One-Time Password (TOTP) tokens. This issue is present in Vault Community Edition versions 1.10.0 prior to 1.20.0 and Vault Enterprise versions 1.10.0 prior to 1.20.0, 1.19.6, 1.18.11, 1.16.22, and 1.15.15. The vulnerability arises because Vault's login MFA did not properly normalize TOTP codes before enforcing the once-per-validity-window check, enabling an attacker to resubmit a previously used code during the MFA verification process.

Impact

Exploitation of this vulnerability allows for the bypass of MFA rate limits and the reuse of TOTP tokens, potentially leading to unauthorized access.

Remediation

Users are advised to upgrade to Vault Community Edition 1.20.1 or Vault Enterprise 1.20.1, 1.19.7, 1.18.12, or 1.16.23.

Added: Aug 1, 2025, 7:44 PM

Updated: Aug 1, 2025, 7:44 PM

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

5.0

exploitability

6.4

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

5.0

exploitability

6.4

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

HashiCorp Vault and Vault Enterprise MFA Rate Limit Bypass and TOTP Token Reuse Vulnerability

Vulnerability

Impact

Remediation

Affected Products

HashiCorp Vault

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating