x/vulndb: potential Go vuln in github.com/hashicorp/terraform-provider-vault: GHSA-gmm6-j2g5-r52m

Advisory [GHSA-gmm6-j2g5-r52m](https://github.com/advisories/GHSA-gmm6-j2g5-r52m) references a vulnerability in the following Go modules:

| Module |
| - |
| [github.com/hashicorp/terraform-provider-vault](https://pkg.go.dev/github.com/hashicorp/terraform-provider-vault) |

Description:
Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vault Terraform Provider v5.5.0.

References:
- ADVISORY: https://github.com/advisories/GHSA-gmm6-j2g5-r52m
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-13357
- FIX: https://github.com/hashicorp/terraform-provider-vault/commit/882bc7f409acc99c872c345edd65159d9568589a
- FIX: https://github.com/hashicorp/terraform-provider-vault/pull/2622
- WEB: https://discuss.hashicorp.com/t/hcsec-2025-33-vault-terraform-provider-applied-incorrect-defaults-for-ldap-auth-method/76822
- WEB: https://github.com/hashicorp/terraform-provider-vault/releases/tag/v5.5.0

No existing reports found with this module or alias.
See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

```
id: GO-ID-PENDING
modules:
    - module: github.com/hashicorp/terraform-provider-vault
      non_go_versions:
        - fixed: 5.5.0
      vulnerable_at: 1.9.0
summary: |-
    Vault’s Terraform Provider incorrectly set default deny_null_bind parameter
    for LDAP auth method to false by default in github.com/hashicorp/terraform-provider-vault
cves:
    - CVE-2025-13357
ghsas:
    - GHSA-gmm6-j2g5-r52m
references:
    - advisory: https://github.com/advisories/GHSA-gmm6-j2g5-r52m
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-13357
    - fix: https://github.com/hashicorp/terraform-provider-vault/commit/882bc7f409acc99c872c345edd65159d9568589a
    - fix: https://github.com/hashicorp/terraform-provider-vault/pull/2622
    - web: https://discuss.hashicorp.com/t/hcsec-2025-33-vault-terraform-provider-applied-incorrect-defaults-for-ldap-auth-method/76822
    - web: https://github.com/hashicorp/terraform-provider-vault/releases/tag/v5.5.0
source:
    id: GHSA-gmm6-j2g5-r52m
    created: 2025-11-21T19:01:19.978719701Z
review_status: UNREVIEWED

```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

x/vulndb: potential Go vuln in github.com/hashicorp/terraform-provider-vault: GHSA-gmm6-j2g5-r52m #4152

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

x/vulndb: potential Go vuln in github.com/hashicorp/terraform-provider-vault: GHSA-gmm6-j2g5-r52m #4152

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions