=0.1.0

Q: How to fix?

There is no fixed version for github.com/hashicorp/vault/api/auth/userpass .

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-GOLANG-GITHUBCOMHASHICORPVAULTAPIAUTHUSERPASS-13517971
published10 Oct 2025
disclosed11 Jul 2025
creditYarden Porat

Report a new vulnerability Found a mistake?

Introduced: 11 Jul 2025

CVE-2025-6010 (opens in a new tab) CWE-200 (opens in a new tab)

How to fix?

There is no fixed version for github.com/hashicorp/vault/api/auth/userpass.

Overview

Affected versions of this package are vulnerable to Observable Discrepancy via userpass auth method. An attacker can enumerate valid usernames on this auth method through brute force or a list of known usernames.

##Workaround

This issue can be partially mitigated by using rate-limit quotas in Vault or enabling network level controls for rate limiting that restrict access to Vault. Customers may also consider enforcing login MFA for the userpass auth mounts.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None