Permissions Flaw in Terraform Enterprise Affects HashiCorp Infrastructure Management
CVE-2025-13432

4.3MEDIUM

Key Information:

Vendor: Hashicorp
Status: Terraform Enterprise
Vendor: CVE Published:; 21 November 2025

What is CVE-2025-13432?

A user with limited permissions may create Terraform state versions within a Terraform Enterprise workspace, inadvertently allowing the potential alteration of infrastructure. If a user with the necessary approval permissions subsequently approves a plan operation or if the plan is auto-applied, unauthorized changes could be made, leading to potential disruptions or security risks. This vulnerability has been addressed in Terraform Enterprise version 1.1.1 and 1.0.3.

Affected Version(s)

Terraform Enterprise 64 bit 1.0.0 < 1.1.1

References

https://discuss.hashicorp.com/t/hcsec-2025-34-terraform-e...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 21, 2025
Vulnerability Reserved
Nov 19, 2025

JSON

Hashicorp

What is CVE-2025-13432?

Affected Version(s)

References

CVSS V3.1

Timeline