LDAP Authentication Vulnerability in HashiCorp Vault's Terraform Provider
CVE-2025-13357

7.4HIGH

Key Information:

Vendor: Hashicorp
Status: Tooling
Vendor: CVE Published:; 21 November 2025

What is CVE-2025-13357?

The Terraform Provider for HashiCorp Vault misconfigured the default setting for the deny_null_bind parameter associated with the LDAP authentication method, setting it to false by default. This misconfiguration can potentially lead to insecure setups where the LDAP server inadvertently allows anonymous or unauthenticated binds. Consequently, attackers could exploit this flaw to bypass authentication, compromising the security of the system. This issue is addressed in Vault Terraform Provider version 5.5.0.

Affected Version(s)

Tooling 64 bit 4.2.0 < 5.5.0

References

https://discuss.hashicorp.com/t/hcsec-2025-33-vault-terra...

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 21, 2025
Vulnerability Reserved
Nov 18, 2025

JSON

Hashicorp

What is CVE-2025-13357?

Affected Version(s)

References

CVSS V3.1

Timeline