CVE-2025-6013
Vault LDAP MFA Enforcement Bypass When Using Username As Alias
6.5
MEDIUM
CVSS 3.1
EPSS 0.16%
Description
Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.
How to fix CVE-2025-6013
To remediate CVE-2025-6013, upgrade the affected package to a fixed version below.
- —upgrade to 1.20.2 or later
- —upgrade to 1.20.2 or later
- —upgrade to 1.20.2 or later
Is CVE-2025-6013 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 1.10.0, < 1.20.2
- from 0, < 1.20.2
- from 0, < 1.20.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N |