Hashicorp Tooling vulnerabilities
4 known vulnerabilities affecting hashicorp/tooling.
Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH2MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2025-13357P2CRITICALCVSS 9.8≥ 4.2.0, < 5.5.02025-11-21
CVE-2025-13357 [CRITICAL] CWE-1188 CVE-2025-13357: Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth me
Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vaul
nvd
CVE-2025-1293P3HIGHCVSS 8.2fixed in 0.5.02025-02-20
CVE-2025-1293 [HIGH] CWE-1390 CVE-2025-1293: Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authenticat
Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0.
nvd
CVE-2026-4660P3HIGHCVSS 7.5fixed in 1.8.62026-04-09
CVE-2026-4660 [HIGH] CWE-200 CVE-2026-4660: HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during
HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.
nvd
CVE-2026-5061P4MEDIUMCVSS 4.7≥ 0.1.0, < 0.42.02026-05-12
CVE-2026-5061 [MEDIUM] CWE-59 CVE-2026-5061: The consul-template library before version 0.42.0 is vulnerable to a sandbox path bypass in the file
The consul-template library before version 0.42.0 is vulnerable to a sandbox path bypass in the file template helper that may allow reading an out-of-sandbox file. This vulnerability (CVE-2026-5061) is fixed in consul-template 0.42.0.
nvd