Miggo Logo
Miggo Vulnerability Database
CVE-2025-6014

CVE-2025-6014: Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-6014
GHSA ID
GHSA-qv3p-fmv3-9hww
EPSS Score
0.06927%
CWE
CWE-156
Published
8/1/2025
Updated
8/1/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/hashicorp/vaultgo< 1.20.11.20.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists in the TOTP secrets engine of Hashicorp Vault, where the code validation logic did not properly handle whitespace, allowing for TOTP code reuse. The root cause was the lack of input validation on the length of the TOTP code provided by the user. An attacker could exploit this by taking a valid TOTP code and appending whitespace characters to it. Since the server was not stripping the whitespace before checking for reuse, the modified code was treated as a new, valid code. The fix was to add a strict length check on the input code to ensure it matches the expected length of the TOTP code, preventing any manipulation with whitespace. The vulnerable function is backend.handleValidate in builtin/logical/totp/path_code.go, which is responsible for this validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*ult *n* V*ult *nt*rpris*’s (“V*ult”) TOTP S**r*ts *n*in* *o** v*li**tion *n*point is sus**pti*l* to *o** r*us* wit*in its v*li*ity p*rio*. *ix** in V*ult *ommunity **ition *.**.* *n* V*ult *nt*rpris* *.**.*, *.**.*, *.**.**, *n* *.**.**.

Reasoning

T** vuln*r**ility *xists in t** TOTP s**r*ts *n*in* o* **s*i*orp V*ult, w**r* t** *o** v*li**tion lo*i* *i* not prop*rly **n*l* w*it*sp***, *llowin* *or TOTP *o** r*us*. T** root **us* w*s t** l**k o* input v*li**tion on t** l*n*t* o* t** TOTP *o** p