A newly disclosed critical vulnerability in HashiCorp’s Vault Terraform Provider could allow attackers to bypass authentication and access Vault instances without valid credentials, posing a major security threat to organizations relying on Vault for secrets management.
The flaw, tracked as CVE-2025-13357, impacts environments using LDAP authentication with HashiCorp Vault. The issue originates from an incorrect default configuration in the Terraform Provider: the deny_null_bind parameter for LDAP auth was set to false by default.
How the Vulnerability Works
Because many LDAP servers allow unauthenticated bind requests, this misconfiguration created a significant security loophole. Attackers could exploit the issue to successfully authenticate to Vault without providing a username or password, potentially gaining access to sensitive secrets, encryption keys, and critical infrastructure data.
Patch and Security Recommendations
HashiCorp has issued fixes and is urging all users to apply updates immediately. Recommended steps include:
- Upgrade to Vault Terraform Provider v5.5.0, which now defaults deny_null_bind to true.
- Update HashiCorp Vault to one of the patched releases:
- Community Edition 1.21.1
- Enterprise 1.21.1, 1.20.6, 1.19.12, 1.16.28
- Explicitly set deny_null_bind = true in all LDAP authentication method configurations.
- For older provider versions, manually set the parameter in Terraform files and reapply.
The updated Vault versions also block empty password strings, eliminating the possibility of unauthenticated LDAP binds.
HashiCorp noted that the deny_null_bind parameter will be deprecated in future releases. The vulnerability was discovered and responsibly disclosed by an independent security researcher.
Organizations using Vault with LDAP authentication are strongly advised to prioritize patching and configuration reviews to prevent potential exploitation.