A critical security flaw has been discovered in HashiCorp’s Vault Terraform Provider that could allow attackers to bypass authentication and access Vault without valid credentials.
The vulnerability, tracked as CVE-2025-13357, affects organizations using LDAP authentication with Vault. The security issue stems from an incorrect default configuration in Vault’s Terraform Provider.
Specifically, the provider set the deny_null_bind parameter to false by default for the LDAP authentication method.
HashiCorp Vault Vulnerability
This misconfiguration created a dangerous security gap because the underlying LDAP server permitted unauthenticated connections.
When exploited, this vulnerability allows threat actors to authenticate to Vault without providing legitimate credentials.
This authentication bypass poses significant risks to organizations storing sensitive secrets, encryption keys, and other critical data in Vault.
| CVE ID | Affected Products | Affected Versions | Impact |
|---|---|---|---|
| CVE-2025-13357 | Vault Terraform Provider | v4.2.0 to v5.4.0 | Authentication Bypass |
HashiCorp has released fixes addressing this vulnerability. Organizations should take the following actions:
Update to Vault Terraform Provider v5.5.0, which correctly sets the deny_null_bind parameter to true by default.
Additionally, upgrade to Vault Community Edition 1.21.1 or Vault Enterprise versions 1.21.1, 1.20.6, 1.19.12, or 1.16.28.
Ensure the deny_null_bind parameter is explicitly set to true in LDAP auth method configurations.
Organizations using older provider versions should explicitly set the parameter in their Terraform files and apply the changes immediately.
The patched Vault versions no longer accept empty password strings, effectively preventing unauthenticated LDAP connections via the authentication method.
HashiCorp has announced that this outdated parameter will be removed in future releases. This vulnerability was identified by a third-party researcher who responsibly disclosed it to HashiCorp.
Organizations using Vault with LDAP authentication should prioritize applying these security updates to protect their infrastructure from potential exploitation.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
