Add upgrade guidance for file audit device security changes (CVE-2025-6000) (#682)

pixambi · web-flow · commit c65bea2a260c · 2025-08-08T10:11:57.000+10:00
Added details to upgrade and important changes docs for Vault versions 1.16.x, 1.18.x, 1.19.x, and 1.20.x about new requirements for file audit devices: explicit configuration for prefixing, restrictions on writing to plugin directories, and prohibition of executable file permissions. Recommendations for configuration updates are provided. Fixes introduced in hashicorp/vault#31211 for CVE-2025-6000.
diff --git a/content/vault/v1.16.x/content/docs/upgrading/upgrade-to-1.16.x.mdx b/content/vault/v1.16.x/content/docs/upgrading/upgrade-to-1.16.x.mdx
@@ -233,6 +233,23 @@ reports if manual reporting is preferred.
 See the main page for [Vault product usage metrics reporting](/vault/docs/enterprise/license/product-usage-reporting) for
 more details, and information about opt-out.
 
+### File audit devices require explicit configuration for prefixing and cannot use executable file permissions (CVE-2025-6000)
+
+| Change       | Affected version                          | Fixed version
+| ------------ | ----------------------------------------- | --------------------
+| Breaking     | 1.16.23                                   | N/A
+
+You must set `allow_audit_log_prefixing` to `true` in your server configuration to enable `file` audit devices with the `prefix` option. Additionally, `file` audit devices cannot use file modes with executable permissions (e.g., 0777, 0755).
+
+#### Recommendation
+
+If you use `file` audit devices, you need to:
+
+1. Add `allow_audit_log_prefixing = true` to your Vault server configuration if
+   you want to use the `prefix` option.
+1. Use non-executable file modes (e.g., 0644, 0666) for log files.
+
+
 ## Known issues and workarounds
 
 
diff --git a/content/vault/v1.18.x/content/docs/upgrading/upgrade-to-1.18.x.mdx b/content/vault/v1.18.x/content/docs/upgrading/upgrade-to-1.18.x.mdx
@@ -184,6 +184,23 @@ reports if manual reporting is preferred.
 See the main page for [Vault product usage metrics reporting](/vault/docs/enterprise/license/product-usage-reporting) for
 more details, and information about opt-out.
 
+### File audit devices require explicit configuration for prefixing and cannot use executable file permissions (CVE-2025-6000)
+
+| Change       | Affected version                          | Fixed version
+| ------------ | ----------------------------------------- | --------------------
+| Breaking     | 1.18.12                                   | N/A
+
+You must set `allow_audit_log_prefixing` to `true` in your server configuration to enable `file` audit devices with the `prefix` option. Additionally, `file` audit devices cannot use file modes with executable permissions (e.g., 0777, 0755).
+
+#### Recommendation
+
+If you use `file` audit devices, you need to:
+
+1. Add `allow_audit_log_prefixing = true` to your Vault server configuration if
+   you want to use the `prefix` option.
+1. Use non-executable file modes (e.g., 0644, 0666) for log files.
+
+
 ## Known issues and workarounds
 
 @include 'known-issues/duplicate-hsm-key.mdx'
diff --git a/content/vault/v1.19.x/content/docs/updates/important-changes.mdx b/content/vault/v1.19.x/content/docs/updates/important-changes.mdx
@@ -119,7 +119,21 @@ Review the [Token validation](/vault/docs/auth/azure#token-validation) section
 of the Azure authN plugin guide for more information on the new validation
 requirements.
 
+### File audit devices require explicit configuration for prefixing and cannot use executable file permissions (CVE-2025-6000)
 
+| Change       | Affected version                          | Fixed version
+| ------------ | ----------------------------------------- | --------------------
+| Breaking     | 1.19.7                                    | N/A
+
+You must set `allow_audit_log_prefixing` to `true` in your server configuration to enable `file` audit devices with the `prefix` option. Additionally, `file` audit devices cannot use file modes with executable permissions (e.g., 0777, 0755).
+
+#### Recommendation
+
+If you use `file` audit devices, you need to:
+
+1. Add `allow_audit_log_prefixing = true` to your Vault server configuration if
+   you want to use the `prefix` option.
+1. Use non-executable file modes (e.g., 0644, 0666) for log files.
 
 
 ## Breaking changes
diff --git a/content/vault/v1.20.x/content/docs/updates/important-changes.mdx b/content/vault/v1.20.x/content/docs/updates/important-changes.mdx
@@ -42,6 +42,22 @@ Vault currently does not support rotate root for key pairs. To manually rotate k
 For more information on rotating key pairs, please refer
 to the official [Snowflake documentation](https://docs.snowflake.com/en/user-guide/key-pair-auth#configuring-key-pair-rotation).
 
+### File audit devices require explicit configuration for prefixing and cannot use executable file permissions (CVE-2025-6000)
+
+| Change       | Affected version                          | Fixed version
+| ------------ | ----------------------------------------- | --------------------
+| Breaking     | 1.20.1                                    | N/A
+
+You must set `allow_audit_log_prefixing` to `true` in your server configuration to enable `file` audit devices with the `prefix` option. Additionally, `file` audit devices cannot use file modes with executable permissions (e.g., 0777, 0755).
+
+#### Recommendation
+
+If you use `file` audit devices, you need to:
+
+1. Add `allow_audit_log_prefixing = true` to your Vault server configuration if
+   you want to use the `prefix` option.
+1. Use non-executable file modes (e.g., 0644, 0666) for log files.
+
 ## Breaking changes
 
 ### Breaking configuration change for disable_mlock ((#disable_mlock-config))
