CVE-2025-6015 — Vault Login MFA Bypass of Rate Limiting and TOTP Code Reuse

Description

Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

How to fix CVE-2025-6015

To remediate CVE-2025-6015, upgrade the affected package to a fixed version below.

Bitnami/vault—upgrade to 1.20.1 or later
—upgrade to 1.20.1 or later
—upgrade to 1.20.1 or later

Is CVE-2025-6015 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

>= 1.10.0, < 1.20.1
>= 1.10.0, < 1.20.1
>= 1.10.0, < 1.20.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

References (4)

ADVISORYgithub.com/advisories/GHSA-v6r4-35f9-9rpw
ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-6015
PATCHgithub.com/hashicorp/vault
WEBdiscuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038