x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9g4h-h484-3578

[GoVulnBot]

Advisory GHSA-9g4h-h484-3578 references a vulnerability in the following Go modules:

Module
github.com/hashicorp/vault

Description:
Vault and Vault Enterprise's ("Vault") AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27.

References:

• ADVISORY: GHSA-9g4h-h484-3578
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-11621
• FIX: hashicorp/vault@8d07273
• WEB: https://discuss.hashicorp.com/t/hcsec-2025-30-vault-aws-auth-method-authentication-bypass-through-mishandling-of-cache-entries/76709

Cross references:

• github.com/hashicorp/vault appears in 49 other report(s):
  • data/reports/GO-2022-0578.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-362v-wg5p-64w2 #578)
  • data/reports/GO-2022-0590.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-c5wc-v287-82pc #590)
  • data/reports/GO-2022-0611.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-pfmw-vj74-ph8g #611)
  • data/reports/GO-2022-0618.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-qv95-g3gm-x542 #618)
  • data/reports/GO-2022-0620.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-23fq-q7hc-993r #620)
  • data/reports/GO-2022-0623.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-38j9-7pp9-2hjw #623)
  • data/reports/GO-2022-0632.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-6239-28c2-9mrm, CVE-2021-38554 #632)
  • data/reports/GO-2022-0778.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault/command: GHSA-25xj-89g5-fm6h #778)
  • data/reports/GO-2022-0816.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9vh5-r4qw-v3vv #816)
  • data/reports/GO-2022-0825.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-fp52-qw33-mfmw #825)
  • data/reports/GO-2022-1021.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-7cgv-v83v-rr87 #1021)
  • data/reports/GO-2023-1685.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-v3hp-mcj5-pg39 #1685)
  • data/reports/GO-2023-1708.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-hwc3-3qh6-r4gg #1708)
  • data/reports/GO-2023-1709.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-vq4h-9ghm-qmrr #1709)
  • data/reports/GO-2023-1849.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-gq98-53rq-qr5h #1849)
  • data/reports/GO-2023-1897.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9mh8-9j64-443f #1897)
  • data/reports/GO-2023-1900.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-wmg5-g953-qqfw #1900)
  • data/reports/GO-2023-1986.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9v3w-w2jh-4hff #1986)
  • data/reports/GO-2023-2063.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-v84f-6r39-cpfc #2063)
  • data/reports/GO-2023-2088.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-86c6-3g63-5w64 #2088)
  • data/reports/GO-2023-2329.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-4qhc-v8r6-8vwm #2329)
  • data/reports/GO-2023-2399.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-6p62-6cg9-f5f5 #2399)
  • data/reports/GO-2024-2485.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault/vault: GHSA-j6vv-vv26-rh7c #2485)
  • data/reports/GO-2024-2486.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault/vault: GHSA-m979-w9wj-qfj9 #2486)
  • data/reports/GO-2024-2488.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault/vault: GHSA-4mp7-2m29-gqxf #2488)
  • data/reports/GO-2024-2508.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-rpgp-9hmg-j25x #2508)
  • data/reports/GO-2024-2509.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-rq95-xf66-j689 #2509)
  • data/reports/GO-2024-2511.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: CVE-2024-0831 #2511)
  • data/reports/GO-2024-2514.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-57gg-cj55-q5g2 #2514)
  • data/reports/GO-2024-2617.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-r3w7-mfpm-c2vw #2617)
  • data/reports/GO-2024-2690.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-j2rp-gmqv-frhv #2690)
  • data/reports/GO-2024-2921.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-32cj-5wx4-gq8p #2921)
  • data/reports/GO-2024-2982.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-2qmw-pvf7-4mw6 #2982)
  • data/reports/GO-2024-3113.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-jjxf-26c9-77gm #3113)
  • data/reports/GO-2024-3162.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-jg74-mwgw-v6x3 #3162)
  • data/reports/GO-2024-3191.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-rr8j-7w34-xp5j #3191)
  • data/reports/GO-2024-3246.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-g233-2p4r-3q7v #3246)
  • data/reports/GO-2025-3662.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-f9ch-h8j7-8jwg #3662)
  • data/reports/GO-2025-3663.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-gcqf-f89c-68hv #3663)
  • data/reports/GO-2025-3788.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-fhc2-8qx8-6vj7 #3788)
  • data/reports/GO-2025-3836.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-6c5r-4wfc-3mcx #3836)
  • data/reports/GO-2025-3837.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-6h4p-m86h-hhgh #3837)
  • data/reports/GO-2025-3838.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-mr4h-qf9j-f665 #3838)
  • data/reports/GO-2025-3839.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-mwgr-84fv-3jh9 #3839)
  • data/reports/GO-2025-3840.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-qgj7-fmq2-6cc4 #3840)
  • data/reports/GO-2025-3841.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-qv3p-fmv3-9hww #3841)
  • data/reports/GO-2025-3842.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-v6r4-35f9-9rpw #3842)
  • data/reports/GO-2025-3848.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-7rx2-769v-hrwf #3848)
  • data/reports/GO-2025-3924.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-8f82-53h8-2p34 #3924)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/hashicorp/vault
      versions:
        - introduced: 0.6.0
        - fixed: 1.21.0
      vulnerable_at: 1.21.0-rc1
summary: |-
    HashiCorp Vault and Vault Enterprise's AWS Auth method may be susceptible to
    authentication bypass in github.com/hashicorp/vault
cves:
    - CVE-2025-11621
ghsas:
    - GHSA-9g4h-h484-3578
references:
    - advisory: https://github.com/advisories/GHSA-9g4h-h484-3578
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-11621
    - fix: https://github.com/hashicorp/vault/commit/8d07273d14ae7f5a48cc96f66cc86615dea83390
    - web: https://discuss.hashicorp.com/t/hcsec-2025-30-vault-aws-auth-method-authentication-bypass-through-mishandling-of-cache-entries/76709
source:
    id: GHSA-9g4h-h484-3578
    created: 2025-10-24T00:01:20.775799547Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/715780 mentions this issue: data/reports: add 47 UNREVIEWED reports