CVE-2025-3879 Overview
CVE-2025-3879 is an authorization bypass vulnerability in HashiCorp Vault Community and Vault Enterprise. The Azure authentication method failed to correctly validate claims in Azure-issued tokens. This flaw allowed authenticated callers to bypass the bound_locations parameter enforced during login. An attacker with a valid Azure-issued token could authenticate to a Vault role that should have been restricted to specific Azure regions. The issue is tracked as CWE-863: Incorrect Authorization and is documented in HashiCorp Security Advisory HCSEC-2025-07. HashiCorp fixed the issue in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, and 1.16.18.
Critical Impact
Attackers holding a valid Azure token can bypass region-based login restrictions on Vault Azure Auth roles, gaining access to secrets that should be unreachable from their Azure location.
Affected Products
- HashiCorp Vault Community Edition prior to 1.19.1
- HashiCorp Vault Enterprise prior to 1.19.1, 1.18.7, 1.17.14, and 1.16.18
- Deployments using the Azure Auth method with bound_locations restrictions
Discovery Timeline
- 2025-05-02 - CVE-2025-3879 published to NVD
- 2025-08-12 - Last updated in NVD database
Technical Details for CVE-2025-3879
Vulnerability Analysis
The Vault Azure Auth method allows clients to authenticate using a signed JSON Web Token (JWT) issued by Azure Active Directory along with VM or service principal metadata. Operators can restrict authentication to specific Azure regions by configuring the bound_locations parameter on a role. When a client logs in, Vault is expected to verify that the caller's location claim matches the bound values.
The vulnerability stems from incorrect validation of these claims during the login flow. Vault did not properly enforce the bound location constraint against the data presented in the Azure-issued token. As a result, a caller could authenticate to a role even when the underlying Azure resource was located outside the permitted regions. This is an authorization bypass classified as [CWE-863].
Successful exploitation grants the attacker the Vault token and policies attached to the targeted role. Depending on role configuration, this can expose secrets, signing keys, and dynamic credentials issued by Vault.
Root Cause
The root cause is improper validation of Azure token claims in the Azure Auth method's login handler. The check intended to enforce bound_locations did not reliably compare the authoritative location value from the validated token against the configured allow list, allowing the restriction to be bypassed.
Attack Vector
The attack vector is network-based and requires the attacker to be an authenticated Azure identity capable of obtaining a token that Vault will process. An attacker with low-privileged Azure credentials can request a token and submit it to Vault's Azure Auth login endpoint. If a target role uses bound_locations as its primary scoping control, the attacker can authenticate to that role despite operating from a non-permitted region. Refer to the HashiCorp Security Advisory HCSEC-2025-07 for vendor-published technical detail.
Detection Methods for CVE-2025-3879
Indicators of Compromise
- Successful auth/azure/login events on roles configured with bound_locations where the source Azure resource resides outside the configured regions.
- Vault audit log entries showing token issuance for Azure Auth roles to principals not previously observed authenticating to that role.
- Use of Vault tokens minted via Azure Auth to read secrets or generate dynamic credentials shortly after an unexpected login.
Detection Strategies
- Parse Vault audit logs and correlate Azure Auth login events with the location claim of the presented token and the Azure resource metadata.
- Compare each successful Azure Auth login against the bound_locations configured on the role and alert on mismatches.
- Baseline normal Azure Auth login geography per role and flag deviations.
Monitoring Recommendations
- Enable Vault audit devices and forward logs to a centralized analytics platform for long-term retention.
- Monitor Azure sign-in logs for token requests targeting service principals associated with Vault Auth roles.
- Alert on creation or modification of Vault Azure Auth roles, particularly changes to bound_locations, bound_subscription_ids, or bound_resource_groups.
How to Mitigate CVE-2025-3879
Immediate Actions Required
- Upgrade to Vault Community Edition 1.19.1 or Vault Enterprise 1.19.1, 1.18.7, 1.17.14, or 1.16.18.
- Inventory all Azure Auth roles and identify any that rely on bound_locations as a primary access control.
- Rotate Vault tokens and any dynamic secrets issued through Azure Auth roles since the vulnerable versions were deployed.
- Review Vault audit logs for unexpected Azure Auth logins prior to patching.
Patch Information
HashiCorp resolved CVE-2025-3879 in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, and 1.16.18. Apply the fixed release matching your deployment track. Refer to the HashiCorp Security Advisory HCSEC-2025-07 for vendor guidance.
Workarounds
- Tighten Azure Auth roles to also use bound_subscription_ids, bound_resource_groups, bound_group_ids, or bound_service_principal_ids instead of relying solely on bound_locations.
- Restrict which Azure identities can request tokens for the audience accepted by Vault's Azure Auth method.
- Reduce token TTLs and policy scope on affected roles until patches are deployed.
# Example: harden an Azure Auth role with additional bound parameters
vault write auth/azure/role/my-role \
bound_subscription_ids="<subscription-id>" \
bound_resource_groups="<resource-group>" \
bound_locations="eastus,westus" \
policies="read-secrets" \
ttl="15m" \
max_ttl="1h"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
