{"id":"BIT-vault-2025-6000","summary":"Arbitrary Remote Code Execution via Plugin Catalog Abuse","details":"A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.","aliases":["CVE-2025-6000","GHSA-mr4h-qf9j-f665","GO-2025-3838"],"modified":"2025-08-11T18:14:37.694776Z","published":"2025-08-05T08:52:55.970Z","database_specific":{"severity":"Critical","cpes":["cpe:2.3:a:hashicorp:vault:*:*:*:*:enterprise:go:*:*","cpe:2.3:a:hashicorp:vault:*:*:*:*:community:go:*:*"]},"references":[{"type":"WEB","url":"https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6000"}],"affected":[{"package":{"name":"vault","ecosystem":"Bitnami","purl":"pkg:bitnami/vault"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.8.0"},{"fixed":"1.20.1"}]}],"database_specific":{"source":"https://github.com/bitnami/vulndb/tree/main/data/vault/BIT-vault-2025-6000.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}]}],"schema_version":"1.7.3"}