-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
GoGo| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/hashicorp/vault | go | >= 1.13.0, < 1.20.1 | 1.20.1 |
Miggo AIRoot Cause AnalysisThe vulnerability, CVE-2025-6004, allowed an attacker to bypass the user lockout feature in HashiCorp Vault for both userpass and ldap authentication methods. The core of the issue was the inconsistent normalization of usernames before checking for failed login attempts.
For the userpass authentication method, which treats usernames as case-insensitive, the pathLoginAliasLookahead function failed to convert the input username to a consistent case (lowercase). This discrepancy meant an attacker could make multiple login attempts with different casings of the same username (e.g., 'user', 'User', 'USER'). Each attempt was treated as a distinct alias for the purpose of lockout tracking, thus circumventing the lockout mechanism for the actual user account.
Similarly, for the ldap authentication method, the pathLoginAliasLookahead function did not correctly handle the case_sensitive_names configuration. When the LDAP backend was configured to be case-insensitive, it suffered from the same flaw as the userpass method, allowing for a lockout bypass.
The security patch rectifies this by enforcing proper username normalization within the pathLoginAliasLookahead function for both affected backends. For userpass, the username is now always converted to lowercase. For ldap, the username is converted to lowercase only when the case_sensitive_names option is disabled. This ensures that all login attempts for a given user map to a single, normalized alias, making the lockout mechanism effective.
Ongoing coverage of React2Shell