CVE-2025-6014 — Vault TOTP Secrets Engine Code Reuse

Description

Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

How to fix CVE-2025-6014

To remediate CVE-2025-6014, upgrade the affected package to a fixed version below.

Bitnami/vault—upgrade to 1.20.1 or later
—upgrade to 1.20.1 or later
—upgrade to 1.20.1 or later

Is CVE-2025-6014 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 1.20.1
from 0, < 1.20.1
from 0, < 1.20.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYgithub.com/advisories/GHSA-qv3p-fmv3-9hww
ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-6014
PATCHgithub.com/hashicorp/vault
WEBdiscuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036