CVE-2025-13357

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-13357

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-13357.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-13357

Aliases

Published

2025-11-21T15:15:51.313Z

Modified

2025-12-12T02:55:24.413179Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Vault’s Terraform Provider incorrectly set the default denynullbind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vault Terraform Provider v5.5.0.

References

https://discuss.hashicorp.com/t/hcsec-2025-33-vault-terraform-provider-applied-incorrect-defaults-for-ldap-auth-method/76822

Affected packages

Git / github.com/hashicorp/terraform-provider-vault

Affected ranges

Type: GIT
Repo: https://github.com/hashicorp/terraform-provider-vault
Events: Introduced

2822bae19ce749d531e619971343ffb43e944051

Fixed

148e86b0882c1415282a8236dc1e48cea20c70cb

Affected versions

v4.*

v4.2.0

v4.3.0

v4.4.0

v4.5.0

v4.6.0

v4.7.0

v4.8.0

v5.*

v5.0.0

v5.1.0

v5.2.0

v5.2.1

v5.3.0

v5.4.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-13357.json"