CVE-2025-3879 — Incorrect Authorization in Vault Enterprise

CWE-863 — Incorrect Authorization5 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 54.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Vault Enterprise Github.com Hashicorp Vault Hashicorp Vault

Timeline

PublishedMay 2

Latest updateMay 6

Description

Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5hashicorp/vault_enterprise0.10.0 — 1.19.1

▶NVDhashicorp/vault0.10.0 — 1.16.18+4

▶Gogithub.com/hashicorp_vault1.10.0 — 1.19.1

🔴Vulnerability Details

OSV

Hashicorp Vault Community vulnerable to Incorrect Authorization in github.com/hashicorp/vault↗2025-05-06

▶

OSV

Hashicorp Vault Community vulnerable to Incorrect Authorization↗2025-05-02

▶

GHSA

Hashicorp Vault Community vulnerable to Incorrect Authorization↗2025-05-02

▶

📋Vendor Advisories

Red Hat

vault: Vault’s Azure Authentication Method bound_location Restriction Could be Bypassed on Login↗2025-05-02

▶