Home > Vulnerability Database > CVE-2025-13357

Mend.io Vulnerability Database

CVE-2025-13357

Good to know:

Date: November 21, 2025

Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vault Terraform Provider v5.5.0.

Severity Score

7.4

Related Resources (8)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-13357

Url: https://discuss.hashicorp.com/t/hcsec-2025-33-vault-terraform-provider-applied-incorrect-defaults-for-ldap-auth-method/76822

Url: https://github.com/hashicorp/terraform-provider-vault/releases/tag/v5.5.0

Url: https://github.com/hashicorp/terraform-provider-vault

Url: https://github.com/hashicorp/terraform-provider-vault/commit/882bc7f409acc99c872c345edd65159d9568589a

Url: https://github.com/advisories/GHSA-gmm6-j2g5-r52m

Url: https://github.com/hashicorp/terraform-provider-vault/pull/2622

Url: https://www.mend.io/vulnerability-database/CVE-2025-13357

Severity Score

7.4

Weakness Type (CWE)

Initialization of a Resource with an Insecure Default

CWE-1188

Top Fix

Upgrade Version

Upgrade to version github.com/hashicorp/terraform-provider-vault - v5.5.0

Learn More

CVSS v3.1

Base Score:	7.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-13357

Good to know:

Date: November 21, 2025

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?