- Description
- Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability, CVE-2025-11621, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27
- Source
- security@hashicorp.com
- NVD status
- Analyzed
- Products
- vault
CVSS 3.1
- Type
- Secondary
- Base score
- 8.1
- Impact score
- 5.2
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- Severity
- HIGH
- security@hashicorp.com
- CWE-288
- Hype score
- Not currently trending
🚨🚨HashiCorp Patches Vault Flaws CVE-2025-12044: Rate limits applied after JSON parsing → spam massive valid payloads, exhaust CPU/RAM, trigger DoS. CVE-2025-11621: Cache skips account ID check → reuse role names across accounts, bypass auth in multi-tenant setups. Zo
@zoomeye_team
28 Oct 2025
918 Impressions
3 Retweets
11 Likes
3 Bookmarks
0 Replies
0 Quotes
🇺🇸 HashiCorp discloses two critical Vault vulnerabilities (CVE-2025-12044, CVE-2025-11621) enabling auth bypass and DoS in Community & Enterprise builds. Patch/mitigate. #Cybersecurity #OSINT https://t.co/0AySqmllkA
@STRATINT_AI
27 Oct 2025
47 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨Alert🚨:CVE-2025-12044&CVE-2025-11621 : Two HashiCorp Patches Vault Flaws——Unauthenticated JSON DoS and AWS Auth Bypass 📊117.9K Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/xHOmRHMcOk 👇Query HUNTER : https://t.co/q9rtu
@HunterMapping
27 Oct 2025
4627 Impressions
14 Retweets
62 Likes
27 Bookmarks
1 Reply
1 Quote
CVE-2025-11621 Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same acros… https://t.co/ILa6cYtbkS
@CVEnew
23 Oct 2025
362 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "8C7F3182-7234-41FA-9B75-41035C2373A5",
"versionEndExcluding": "1.16.27",
"versionStartIncluding": "0.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:-:*:*:*",
"matchCriteriaId": "1A7AEDE3-EAC5-4022-916F-639BD91EF61C",
"versionEndExcluding": "1.21.0",
"versionStartIncluding": "0.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0F754D3F-BD3D-4726-87EC-012F8B68C840",
"versionEndIncluding": "1.18.15",
"versionStartIncluding": "1.18.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "167CFBBB-E0DF-42AB-84AA-4BF19C3873DB",
"versionEndExcluding": "1.19.11",
"versionStartIncluding": "1.19.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "466A7DC1-B9A3-4413-AA3E-AFAF34350E52",
"versionEndExcluding": "1.20.5",
"versionStartIncluding": "1.20.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]