CVE-2025-13357 Overview
CVE-2025-13357 is an insecure default configuration vulnerability in HashiCorp Vault's Terraform Provider that affects the LDAP authentication method. The provider incorrectly set the default deny_null_bind parameter to false, potentially allowing authentication bypass when the underlying LDAP server permits anonymous or unauthenticated binds. This misconfiguration could enable attackers to bypass authentication controls and gain unauthorized access to Vault secrets.
Critical Impact
Attackers exploiting this vulnerability could bypass authentication entirely, gaining unauthorized access to secrets, credentials, and sensitive data managed by HashiCorp Vault without valid credentials.
Affected Products
- HashiCorp Terraform Provider for Vault (versions prior to v5.5.0)
- HashiCorp Vault deployments using LDAP authentication configured via Terraform
- Organizations with LDAP servers that allow anonymous or unauthenticated binds
Discovery Timeline
- 2025-11-21 - CVE-2025-13357 published to NVD
- 2025-12-10 - Last updated in NVD database
Technical Details for CVE-2025-13357
Vulnerability Analysis
This vulnerability stems from an insecure default configuration (CWE-1188) in the HashiCorp Vault Terraform Provider. The LDAP authentication method relies on a parameter called deny_null_bind to prevent authentication attempts with empty or null credentials. When this parameter is set to false, the system may accept authentication requests without proper credential validation.
The impact is significant when combined with LDAP servers that allow anonymous binds. In such configurations, an attacker can submit authentication requests with null or empty credentials and successfully authenticate to Vault, bypassing all authentication controls. This grants the attacker access to secrets and sensitive data stored within Vault without requiring legitimate credentials.
Root Cause
The root cause of CVE-2025-13357 is an incorrect default value assignment in the Terraform Provider's LDAP authentication backend configuration. The deny_null_bind parameter was set to false by default instead of true. In production environments where LDAP servers are configured to accept anonymous binds (which is more common than expected for legacy compatibility reasons), this default creates an authentication bypass condition.
The Terraform Provider should have defaulted to the more secure option of deny_null_bind = true, which would reject any authentication attempts with null or empty bind credentials, regardless of the underlying LDAP server's configuration.
Attack Vector
The attack can be executed remotely over the network without requiring any privileges or user interaction. An attacker targeting a vulnerable Vault deployment would:
- Identify a Vault instance using LDAP authentication configured via the affected Terraform Provider versions
- Determine that the underlying LDAP server accepts anonymous or null binds
- Submit an authentication request to Vault's LDAP auth endpoint with empty or null credentials
- Successfully authenticate due to the permissive deny_null_bind setting
- Access secrets and sensitive data within Vault based on the default or associated policies
The exploitation relies on the combination of the insecure Terraform Provider default and an LDAP server configuration that permits anonymous binds. Organizations that have explicitly set deny_null_bind = true in their Terraform configurations are not affected.
Detection Methods for CVE-2025-13357
Indicators of Compromise
- LDAP authentication attempts with empty usernames or null credentials in Vault audit logs
- Unusual authentication patterns from unrecognized IP addresses to the LDAP auth method
- Vault token generation events without corresponding valid user credentials
- Access to sensitive paths by accounts that should not have permissions
Detection Strategies
- Review Terraform state files and configurations to identify LDAP auth backends without explicit deny_null_bind = true settings
- Audit Vault's LDAP authentication method configuration using vault read auth/ldap/config to verify current deny_null_bind status
- Implement log monitoring for authentication events with missing or empty username fields
- Deploy network monitoring to detect abnormal authentication traffic patterns to Vault's LDAP endpoints
Monitoring Recommendations
- Enable and centralize Vault audit logs to capture all authentication attempts
- Configure alerts for LDAP authentication failures and anomalies
- Monitor for changes to LDAP auth method configurations in Vault
- Implement real-time monitoring of Terraform state changes affecting Vault resources
How to Mitigate CVE-2025-13357
Immediate Actions Required
- Upgrade HashiCorp Vault Terraform Provider to version v5.5.0 or later immediately
- Review existing Terraform configurations for LDAP auth backends and explicitly set deny_null_bind = true
- Audit LDAP server configurations to disable anonymous bind capabilities where possible
- Review Vault audit logs for any evidence of exploitation prior to remediation
Patch Information
HashiCorp has released Terraform Provider version v5.5.0 that corrects the default value of deny_null_bind to true, ensuring secure-by-default configurations. Organizations should update their Terraform Provider version and re-apply configurations to remediate this vulnerability. For detailed patch information, see the HashiCorp Security Advisory HCSEC-2025-33.
Workarounds
- Explicitly set deny_null_bind = true in all LDAP auth backend Terraform configurations before upgrading
- Disable anonymous binds on LDAP servers at the directory service level
- Implement network segmentation to restrict access to Vault's authentication endpoints
- Deploy additional authentication controls such as IP allowlisting for Vault access
# Secure LDAP auth backend configuration
resource "vault_ldap_auth_backend" "ldap" {
path = "ldap"
url = "ldaps://ldap.example.com"
binddn = "cn=vault,ou=services,dc=example,dc=com"
bindpass = var.ldap_bind_password
userdn = "ou=users,dc=example,dc=com"
userattr = "uid"
groupdn = "ou=groups,dc=example,dc=com"
groupattr = "cn"
# Critical: Explicitly set to true to prevent null bind authentication bypass
deny_null_bind = true
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
