logo

Database

Insecure service configuration In github.com/hashicorp/terraform-provider-vault

Description

Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vault Terraform Provider v5.5.0.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-133572. NVD-2025-133573. OSV-2025-133574. GHSA-gmm6-j2g5-r52m5. GCVE-2025-13357

References

1. https://github.com/hashicorp/terraform-provider-vault/pull/26222. https://github.com/hashicorp/terraform-provider-vault/commit/882bc7f409acc99c872c345edd65159d9568589a3. https://discuss.hashicorp.com/t/hcsec-2025-33-vault-terraform-provider-applied-incorrect-defaults-for-ldap-auth-method/768224. https://github.com/hashicorp/terraform-provider-vault/releases/tag/v5.5.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.