CVE-2025-13357 HIGH

CVE-2025-13357: Vault Terraform Provider Applied Incorrect Defaults for LDAP Auth Method

Vendor Hashicorp
Product Tooling
Weakness CWE-1188
Published November 21, 2025
Last update April 17, 2026

CVSS base score

7.4/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vault Terraform Provider v5.5.0.

Key dates

02Disclosure timeline

November 21, 2025 CVE published
April 17, 2026 Record updated