Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-13357

Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vault Terraform Provider v5.5.0.

Published

2025-11-21T15:15:51.313

Last Modified

2025-12-10T21:00:48.097

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.4 (HIGH)

Weaknesses

Type: Secondary
CWE-1188

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	hashicorp	terraform_provider	< 5.5.0	Yes

References

https://discuss.hashicorp.com/t/hcsec-2025-33-vault-terraform-provider-applied-incorrect-defaults-for-ldap-auth-method/76822 Vendor Advisory ([email protected])