A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
Metrics
Affected Vendors & Products
References
History
Mon, 04 Aug 2025 12:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
| |
Metrics |
threat_severity
|
threat_severity
|
Mon, 04 Aug 2025 09:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Hashicorp
Hashicorp vault Hashicorp vault Enterprise |
|
Vendors & Products |
Hashicorp
Hashicorp vault Hashicorp vault Enterprise |
Fri, 01 Aug 2025 18:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Fri, 01 Aug 2025 18:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. | |
Title | Arbitrary Remote Code Execution via Plugin Catalog Abuse | |
Weaknesses | CWE-94 | |
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: HashiCorp
Published: 2025-08-01T17:40:48.524Z
Updated: 2025-08-01T18:12:02.883Z
Reserved: 2025-06-11T14:38:13.583Z
Link: CVE-2025-6000

Updated: 2025-08-01T18:11:58.841Z

Status : Awaiting Analysis
Published: 2025-08-01T18:15:56.423
Modified: 2025-08-04T15:06:15.833
Link: CVE-2025-6000
