Miggo Logo
Miggo Vulnerability Database
CVE-2025-11621

CVE-2025-11621: HashiCorp Vault and Vault Enterprise's AWS Auth method may be susceptible to authentication bypass

8.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-11621
GHSA ID
GHSA-9g4h-h484-3578
EPSS Score
-
CWE
CWE-288
Published
10/23/2025
Updated
10/23/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/hashicorp/vaultgo>= 0.6.0, < 1.21.01.21.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in the caching mechanism for AWS clients within the AWS authentication backend of HashiCorp Vault. The functions clientEC2 and clientIAM in builtin/credential/aws/client.go were responsible for creating and caching AWS service clients. The cache keys were constructed using only the AWS region and the STS role name. The AWS Account ID was not part of the cache key.

This becomes a security issue when Vault is configured to trust multiple AWS accounts, and these accounts use identical IAM role names. Due to the incomplete cache key, a request for a client for a specific role in one account could mistakenly receive a cached client intended for the same role name but in a different account. This could lead to an authentication bypass, allowing a user to gain unauthorized access to resources.

The patch addresses this by introducing a new clientKey struct that includes the AccountID, Region, and STSRole. The EC2ClientsMap and IAMClientsMap are updated to use this new composite key. This ensures that cached clients are unique per account, region, and role, thereby preventing cache collisions and closing the authentication bypass vulnerability. The identified vulnerable functions, aws.backend.clientEC2 and aws.backend.clientIAM, are the exact locations where the flawed caching logic existed and was subsequently fixed.

Vulnerable functions

aws.backend.clientEC2
builtin/credential/aws/client.go
The `clientEC2` function was vulnerable because it used a cache for EC2 clients that was keyed only by region and STS role, but not by the AWS Account ID. This could lead to an authentication bypass where a client for one AWS account could be used for another if the role names were the same.
aws.backend.clientIAM
builtin/credential/aws/client.go
The `clientIAM` function was vulnerable because it used a cache for IAM clients that was keyed only by region and STS role, omitting the AWS Account ID. This could allow an attacker to bypass authentication by leveraging a role with the same name from a different, trusted AWS account.

WAF Protection Rules

WAF Rule

V*ult *n* V*ult *nt*rpris*'s ("V*ult") *WS *ut* m*t*o* m*y ** sus**pti*l* to *ut**nti**tion *yp*ss i* t** rol* o* t** *on*i*ur** *oun*_prin*ip*l_i*m is t** s*m* **ross *WS ***ounts, or us*s * wil***r*. T*is vuln*r**ility is *ix** in V*ult *ommunity *

Reasoning

T** vuln*r**ility li*s in t** ****in* m****nism *or *WS *li*nts wit*in t** *WS *ut**nti**tion ***k*n* o* **s*i*orp V*ult. T** *un*tions `*li*nt***` *n* `*li*ntI*M` in `*uiltin/*r***nti*l/*ws/*li*nt.*o` w*r* r*sponsi*l* *or *r**tin* *n* ****in* *WS s*