CVE-2025-13357 — Initialization of a Resource with an Insecure Default in Hashicorp Terraform-provider-vault

CWE-1188 — Initialization of a Resource with an Insecure Default5 documents4 sources

Severity

9.8CRITICALNVD

CNA7.4

EPSS

0.1%

top 73.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Tooling Github.com Hashicorp Terraform-provider-vault Hashicorp Terraform Provider

Timeline

PublishedNov 21

Latest updateNov 25

Description

Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vault Terraform Provider v5.5.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Gogithub.com/hashicorp_terraform-provider-vault< 5.5.0

▶NVDhashicorp/terraform_provider4.2.0 — 5.5.0

▶CVEListV5hashicorp/tooling4.2.0 — 5.5.0

🔴Vulnerability Details

OSV

Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default in github.com/hashicorp/terraform-provider-vault↗2025-11-25

▶

CVEList

Vault Terraform Provider Applied Incorrect Defaults for LDAP Auth Method↗2025-11-21

▶

OSV

Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default↗2025-11-21

▶

GHSA

Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default↗2025-11-21

▶