CVE-2025-6004: Hashicorp Vault has Lockout Feature Authentication Bypass

The vulnerability, CVE-2025-6004, allowed an attacker to bypass the user lockout feature in HashiCorp Vault for both userpass and ldap authentication methods. The core of the issue was the inconsistent normalization of usernames before checking for failed login attempts.

For the userpass authentication method, which treats usernames as case-insensitive, the pathLoginAliasLookahead function failed to convert the input username to a consistent case (lowercase). This discrepancy meant an attacker could make multiple login attempts with different casings of the same username (e.g., 'user', 'User', 'USER'). Each attempt was treated as a distinct alias for the purpose of lockout tracking, thus circumventing the lockout mechanism for the actual user account.

Similarly, for the ldap authentication method, the pathLoginAliasLookahead function did not correctly handle the case_sensitive_names configuration. When the LDAP backend was configured to be case-insensitive, it suffered from the same flaw as the userpass method, allowing for a lockout bypass.

The security patch rectifies this by enforcing proper username normalization within the pathLoginAliasLookahead function for both affected backends. For userpass, the username is now always converted to lowercase. For ldap, the username is converted to lowercase only when the case_sensitive_names option is disabled. This ensures that all login attempts for a given user map to a single, normalized alias, making the lockout mechanism effective.