x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-qv3p-fmv3-9hww

[GoVulnBot]

Advisory GHSA-qv3p-fmv3-9hww references a vulnerability in the following Go modules:

Module
github.com/hashicorp/vault

Description:
Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

References:

• ADVISORY: GHSA-qv3p-fmv3-9hww
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-6014
• WEB: https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036

Cross references:

• github.com/hashicorp/vault appears in 40 other report(s):
  • data/reports/GO-2022-0578.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-362v-wg5p-64w2 #578)
  • data/reports/GO-2022-0590.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-c5wc-v287-82pc #590)
  • data/reports/GO-2022-0611.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-pfmw-vj74-ph8g #611)
  • data/reports/GO-2022-0618.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-qv95-g3gm-x542 #618)
  • data/reports/GO-2022-0620.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-23fq-q7hc-993r #620)
  • data/reports/GO-2022-0623.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-38j9-7pp9-2hjw #623)
  • data/reports/GO-2022-0632.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-6239-28c2-9mrm, CVE-2021-38554 #632)
  • data/reports/GO-2022-0778.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault/command: GHSA-25xj-89g5-fm6h #778)
  • data/reports/GO-2022-0816.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9vh5-r4qw-v3vv #816)
  • data/reports/GO-2022-0825.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-fp52-qw33-mfmw #825)
  • data/reports/GO-2022-1021.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-7cgv-v83v-rr87 #1021)
  • data/reports/GO-2023-1685.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-v3hp-mcj5-pg39 #1685)
  • data/reports/GO-2023-1708.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-hwc3-3qh6-r4gg #1708)
  • data/reports/GO-2023-1709.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-vq4h-9ghm-qmrr #1709)
  • data/reports/GO-2023-1849.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-gq98-53rq-qr5h #1849)
  • data/reports/GO-2023-1897.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9mh8-9j64-443f #1897)
  • data/reports/GO-2023-1900.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-wmg5-g953-qqfw #1900)
  • data/reports/GO-2023-1986.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9v3w-w2jh-4hff #1986)
  • data/reports/GO-2023-2063.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-v84f-6r39-cpfc #2063)
  • data/reports/GO-2023-2088.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-86c6-3g63-5w64 #2088)
  • data/reports/GO-2023-2329.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-4qhc-v8r6-8vwm #2329)
  • data/reports/GO-2023-2399.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-6p62-6cg9-f5f5 #2399)
  • data/reports/GO-2024-2485.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault/vault: GHSA-j6vv-vv26-rh7c #2485)
  • data/reports/GO-2024-2486.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault/vault: GHSA-m979-w9wj-qfj9 #2486)
  • data/reports/GO-2024-2488.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault/vault: GHSA-4mp7-2m29-gqxf #2488)
  • data/reports/GO-2024-2508.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-rpgp-9hmg-j25x #2508)
  • data/reports/GO-2024-2509.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-rq95-xf66-j689 #2509)
  • data/reports/GO-2024-2511.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: CVE-2024-0831 #2511)
  • data/reports/GO-2024-2514.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-57gg-cj55-q5g2 #2514)
  • data/reports/GO-2024-2617.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-r3w7-mfpm-c2vw #2617)
  • data/reports/GO-2024-2690.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-j2rp-gmqv-frhv #2690)
  • data/reports/GO-2024-2921.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-32cj-5wx4-gq8p #2921)
  • data/reports/GO-2024-2982.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-2qmw-pvf7-4mw6 #2982)
  • data/reports/GO-2024-3113.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-jjxf-26c9-77gm #3113)
  • data/reports/GO-2024-3162.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-jg74-mwgw-v6x3 #3162)
  • data/reports/GO-2024-3191.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-rr8j-7w34-xp5j #3191)
  • data/reports/GO-2024-3246.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-g233-2p4r-3q7v #3246)
  • data/reports/GO-2025-3662.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-f9ch-h8j7-8jwg #3662)
  • data/reports/GO-2025-3663.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-gcqf-f89c-68hv #3663)
  • data/reports/GO-2025-3788.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-fhc2-8qx8-6vj7 #3788)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/hashicorp/vault
      versions:
        - fixed: 1.20.1
      vulnerable_at: 1.20.0
summary: Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse in github.com/hashicorp/vault
cves:
    - CVE-2025-6014
ghsas:
    - GHSA-qv3p-fmv3-9hww
references:
    - advisory: https://github.com/advisories/GHSA-qv3p-fmv3-9hww
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-6014
    - web: https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036
source:
    id: GHSA-qv3p-fmv3-9hww
    created: 2025-08-01T22:01:19.161288401Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/693658 mentions this issue: data/reports: add 16 reports

[gopherbot]

Change https://go.dev/cl/694756 mentions this issue: data/reports: add 20 reports