HashiCorp has disclosed a security flaw in its Vault Terraform Provider that allows attackers to bypass valid credentials and log in to Vault via LDAP authentication.
Tracked as CVE-2025-13357 and bulletin HCSEC-2025-33, the issue stems from incorrect default settings and affects users managing Vault setups with Terraform.
Published on November 21, 2025, it could expose sensitive secrets, such as encryption keys, if exploited.
The vulnerability arises when deploying Vault’s LDAP auth backend through the Terraform Provider versions 4.2.0 to 5.4.0.
By default, the provider sets the deny_null_bind parameter to false unless it is explicitly set to false in the Terraform configuration.
This parameter controls whether Vault rejects “null binds”—LDAP connections without a username or password.
Suppose the connected LDAP server allows anonymous binds (as is typical in misconfigured setups).
In that case, attackers can connect to Vault without credentials, bypassing auth entirely.
Technical Breakdown
Vault’s LDAP auth method integrates with external directories for user logins, relying on the LDAP server’s bind rules.
The Terraform Provider automates Vault API calls via HCL files, but its flaw silently applies insecure defaults.
For example, a Terraform resource like vault_auth_backend(“ldap”) omits the deny_null_bind=true option, enabling null binds if the LDAP server allows them.
Recent Vault releases add defenses: versions 1.21.1, 1.20.6, 1.19.12, and 1.16.28 reject empty password strings outright.
The CVSS score is 7.2 (High), reflecting network access with low privileges but high impact on confidentiality and integrity.
No exploits are public yet, but third-party researchers found it via config audits.
| Affected Component | Versions | Fixed In |
| Vault Terraform Provider | 4.2.0 – 5.4.0 | 5.5.0 |
| Vault (partial mitigations) | All prior to listed patches | 1.21.1 / 1.20.6 / etc. |
Steps To Fix
Upgrade the Terraform Provider to v5.5.0, where deny_null_bind defaults to true.
Manually edit Terraform files to set deny_null_bind = true, then terraform apply for older versions. Update Vault servers to patched releases that block null binds on the server side.
Scan configs for LDAP backends and test LDAP servers for anonymous bind support—turn it off if possible.
HashiCorp urges risk assessments, as exploitation needs LDAP misconfigurations but could leak Vault-stored secrets. Report issues via their security portal.
