I do not speak for HashiCorp, but they have published information on this CVE here: https://discuss.hashicorp.com/t/hcsec-2025-21-vault-user-enu...

OpenBao is reasonably confident in our fix: https://github.com/openbao/openbao/pull/1628

We had earlier pulled support for pre-Vault-1.0 userpass pre-bcrypt hashing (so there's no longer a timing difference there that could be used for enumeration) and using cache busting on lookup should also ensure consistency across storage layers. Plus, normalizing the remaining error messages through when the user's credential is fully validated as correct.

> reasonably confident

why does this phrase not fill me with confidence?

To quote a movie, only a Sith deals in absolutes ;-)

The OpenBao community call is in 10 minutes if you want to talk more about it live: https://calendar.google.com/calendar/embed?src=s63voefhp5i9p... (OpenSSF community calendar link).

But, the short answer why I say _reasonably_ sure is because HashiCorp and the OP haven't released a lot of details about exactly what case(s) are affected, so there's only so much we can do except look at our own code and infer what we can and make an educated guess.

So, barring some structural problem I'm not immediately aware of, I have reasonably high confidence based on discussions amongst the community members.

Why do you care? This is not a very meaningful vulnerability --- it's a side channel user enumeration. Even direct user enumeration is a sev:info finding.