CVE-2025-13357
published 2025-11-21CVE-2025-13357: Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.49%
38.5th percentile
Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vault Terraform Provider v5.5.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_terraform-provider-vault | >= 0 < 5.5.0 | 5.5.0 |
| hashicorp | terraform_provider | >= 4.2.0 < 5.5.0 | 5.5.0 |
| hashicorp | tooling | >= 4.2.0 < 5.5.0 | 5.5.0 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default in github.com/hashicorp/terraform-provider-vault
osv·2025-11-25
CVE-2025-13357 Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default in github.com/hashicorp/terraform-provider-vault
Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default in github.com/hashicorp/terraform-provider-vault
Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default in github.com/hashicorp/terraform-provider-vault.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/hashicorp/terraform-provider-vault before v5.5.0.
OSV
Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default
osv·2025-11-21·CVSS 9.8
CVE-2025-13357 [CRITICAL] Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default
Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default
Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vault Terraform Provider v5.5.0.
GHSA
Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default
ghsa·2025-11-21·CVSS 9.8
CVE-2025-13357 [CRITICAL] CWE-1188 Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default
Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default
Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vault Terraform Provider v5.5.0.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-21
Published