CVE-2025-13357

CVSS v3.1

9.8

Critical

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Vault Terraform Provider versions prior to 5.5.0

Description The Vault Terraform Provider was configured with an insecure default setting for the LDAP auth method. Specifically, the deny null bind parameter defaulted to false, which could allow authentication bypass if the LDAP server permitted anonymous or unauthenticated binds. This could potentially lead to unauthorized access.

Recommendations Update to Vault Terraform Provider version 5.5.0 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1188

Related Identifiers

CVE-2025-13357

GHSA-GMM6-J2G5-R52M

GO-2025-4152

SUSE-SU-2025:4395-1

Affected Products

Vault Terraform Provider

CVE-2025-13357

Weakness Enumeration

Related Identifiers

Affected Products

References · 55