Fluid Attacks Database

Description

Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/hashicorp/vault	>=0 <1.20.1	1.20.1

Aliases

1. CVE-2025-60142. NVD-2025-60143. OSV-2025-60144. GCVE-2025-6014

References

1. https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036