VULN UPGRADE: github.com/hashicorp/vault (minor → v1.21.1)

[campaigner-prod]

Summary: Critical-severity security update — 1 package upgraded (MINOR changes included)

Manifests changed:

• . (go)

Updates

Package	From	To	Type	Vulnerabilities Fixed
github.com/hashicorp/vault	v1.16.3	v1.21.1	minor	1 CRITICAL, 6 HIGH, 7 MODERATE, 2 LOW, 16 UNKNOWN

---

Security Details

🚨 Critical & High Severity (7 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/hashicorp/vault	GHSA-mr4h-qf9j-f665	CRITICAL	Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration	v1.16.3	1.20.1
github.com/hashicorp/vault	GHSA-jg74-mwgw-v6x3	HIGH	Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default	v1.16.3	1.17.6
github.com/hashicorp/vault	GHSA-6h4p-m86h-hhgh	HIGH	Hashicorp Vault has Privilege Escalation Vulnerability	v1.16.3	1.20.0
github.com/hashicorp/vault	GHSA-rr8j-7w34-xp5j	HIGH	Vault Community Edition privilege escalation vulnerability	v1.16.3	1.18.0
github.com/hashicorp/vault	GHSA-9g4h-h484-3578	HIGH	HashiCorp Vault and Vault Enterprise's AWS Auth method may be susceptible to authentication bypass	v1.16.3	1.21.0
github.com/hashicorp/vault	GHSA-g233-2p4r-3q7v	HIGH	Hashicorp Vault vulnerable to denial of service through memory exhaustion	v1.16.3	1.18.1
github.com/hashicorp/vault	GHSA-8f82-53h8-2p34	HIGH	HashiCorp Vault Community Edition Denial of Service Though Complex JSON Payloads	v1.16.3	1.20.3

ℹ️ Other Vulnerabilities (25)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
github.com/hashicorp/vault	GHSA-gcqf-f89c-68hv	MODERATE	Hashicorp Vault Community vulnerable to Generation of Error Message Containing Sensitive Information	v1.16.3	1.19.3
github.com/hashicorp/vault	GHSA-qgj7-fmq2-6cc4	MODERATE	Hashicorp Vault has Lockout Feature Authentication Bypass	v1.16.3	1.20.1
github.com/hashicorp/vault	GHSA-7rx2-769v-hrwf	MODERATE	HashiCorp Vault ldap auth method may not have correctly enforced MFA	v1.16.3	1.20.2
github.com/hashicorp/vault	GHSA-6c5r-4wfc-3mcx	MODERATE	Hashicorp Vault has Incorrect Validation for Non-CA Certificates	v1.16.3	1.20.1
github.com/hashicorp/vault	GHSA-qv3p-fmv3-9hww	MODERATE	Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse	v1.16.3	1.20.1
github.com/hashicorp/vault	GHSA-f9ch-h8j7-8jwg	MODERATE	Hashicorp Vault Community vulnerable to Incorrect Authorization	v1.16.3	1.19.1
github.com/hashicorp/vault	GHSA-v6r4-35f9-9rpw	MODERATE	Hashicorp Vault has Login MFA Rate Limit Bypass Vulnerability	v1.16.3	1.20.1
github.com/hashicorp/vault	GHSA-mwgr-84fv-3jh9	LOW	Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users	v1.16.3	1.20.1
github.com/hashicorp/vault	GHSA-fhc2-8qx8-6vj7	LOW	Vault Community Edition rekey and recovery key operations can cause denial of service	v1.16.3	1.20.0
github.com/hashicorp/vault	GO-2025-3836	unknown	Hashicorp Vault has Incorrect Validation for Non-CA Certificates in github.com/hashicorp/vault	v1.16.3	1.20.1
github.com/hashicorp/vault	GO-2024-3162	unknown	Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default in github.com/hashicorp/vault	v1.16.3	1.17.6
github.com/hashicorp/vault	GO-2024-3246	unknown	Hashicorp Vault vulnerable to denial of service through memory exhaustion in github.com/hashicorp/vault	v1.16.3	1.18.1
github.com/hashicorp/vault	GO-2024-3191	unknown	Vault Community Edition privilege escalation vulnerability in github.com/hashicorp/vault	v1.16.3	1.18.0
github.com/hashicorp/vault	GO-2025-3662	unknown	Hashicorp Vault Community vulnerable to Incorrect Authorization in github.com/hashicorp/vault	v1.16.3	1.19.1
github.com/hashicorp/vault	GO-2025-3842	unknown	Hashicorp Vault has Login MFA Rate Limit Bypass Vulnerability in github.com/hashicorp/vault	v1.16.3	1.20.1
github.com/hashicorp/vault	GO-2025-4070	unknown	HashiCorp Vault and Vault Enterprise's AWS Auth method may be susceptible to authentication bypass in github.com/hashicorp/vault	v1.16.3	1.21.0
github.com/hashicorp/vault	GO-2025-3838	unknown	Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration in github.com/hashicorp/vault	v1.16.3	1.20.1
github.com/hashicorp/vault	GO-2025-3788	unknown	Vault Community Edition rekey and recovery key operations can cause denial of service in github.com/hashicorp/vault	v1.16.3	1.20.0
github.com/hashicorp/vault	GO-2025-3848	unknown	HashiCorp Vault ldap auth method may not have correctly enforced MFA in github.com/hashicorp/vault	v1.16.3	1.20.2
github.com/hashicorp/vault	GO-2025-3663	unknown	Hashicorp Vault Community vulnerable to Generation of Error Message Containing Sensitive Information in github.com/hashicorp/vault	v1.16.3	1.19.3
github.com/hashicorp/vault	GO-2025-3840	unknown	Hashicorp Vault has Lockout Feature Authentication Bypass in github.com/hashicorp/vault	v1.16.3	1.20.1
github.com/hashicorp/vault	GO-2025-3841	unknown	Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse in github.com/hashicorp/vault	v1.16.3	1.20.1
github.com/hashicorp/vault	GO-2025-3839	unknown	Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users in github.com/hashicorp/vault	v1.16.3	1.20.1
github.com/hashicorp/vault	GO-2025-3837	unknown	Hashicorp Vault has Privilege Escalation Vulnerability in github.com/hashicorp/vault	v1.16.3	1.20.0
github.com/hashicorp/vault	GO-2025-3924	unknown	HashiCorp Vault Community Edition Denial of Service Though Complex JSON Payloads in github.com/hashicorp/vault	v1.16.3	1.20.3

---

Review Checklist

Enhanced review recommended for this update:

• Review changes for compatibility with your code
• Check release notes for breaking changes
• Run integration tests to verify service behavior
• Test in staging environment before production
• Monitor key metrics after deployment

---

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System