High severityNVD Advisory· Published Nov 21, 2025· Updated Apr 17, 2026

Vault Terraform Provider Applied Incorrect Defaults for LDAP Auth Method

CVE-2025-13357

Description

Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vault Terraform Provider v5.5.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Vault Terraform Provider's LDAP auth method defaulted `deny_null_bind` to false, enabling authentication bypass if LDAP server permits anonymous binds; fixed in provider v5.5.0.

Vulnerability

Overview

CVE-2025-13357 describes a default configuration flaw in the HashiCorp Vault Terraform Provider's LDAP authentication method. The deny_null_bind parameter, which controls whether the provider rejects LDAP binds with an empty or null password, was incorrectly set to false by default instead of true [1][2]. This means that unless a user explicitly set this parameter to true in their Terraform configuration, the provider would accept LDAP binds that attempted to authenticate without credentials.

Exploitation

An attacker who can reach the Vault instance and the underlying LDAP server may exploit this misconfiguration. If the LDAP server allows anonymous or unauthenticated binds (i.e., binds with an empty password), the attacker could successfully authenticate to Vault without providing any valid credentials [2]. The attack requires that the LDAP server is configured to permit such binds, which is a factor outside of Vault's direct control but commonly found in some environments.

Impact

Successful exploitation leads to authentication bypass for the Vault LDAP auth method. The attacker could gain unauthorized access to Vault resources and secrets depending on the policies associated with the LDAP authentication role. This could result in a significant security breach within the infrastructure managed by Vault.

Mitigation

The vulnerability has been fixed in the Terraform Provider for Vault version 5.5.0, where the default value of deny_null_bind is now true [1][4]. Users are strongly advised to upgrade to at least this version and to explicitly set deny_null_bind = true in their configurations as a defense-in-depth measure. No workaround is required post-upgrade, but users should verify existing LDAP auth backend configurations.

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/hashicorp/terraform-provider-vaultGo	< 5.5.0	5.5.0

Affected products

HashiCorp/Toolingv5
Range: 4.2.0

Patches

882bc7f409ac

set deny_null_bind default to true (#2622)

https://github.com/hashicorp/terraform-provider-vaultaahelNov 14, 2025via ghsa

commit

3 files changed · +87 −2

CHANGELOG.md+4 −0 modified

@@ -1,5 +1,9 @@
 ## Unreleased
 
+CHANGES:
+
+* `vault_ldap_auth_backend`: Set `deny_null_bind` to `true` by default if not provided in configuration ([#2622](https://github.com/hashicorp/terraform-provider-vault/pull/2622))
+
 ## 5.4.0 (Nov 3, 2025)
 
 BEHAVIOR CHANGES: Please refer to the [upgrade topics](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/guides/version_5_upgrade.html#upgrade-topics)

vault/resource_ldap_auth_backend.go+15 −2 modified

@@ -247,8 +247,21 @@ func ldapAuthBackendResource() *schema.Resource {
 		Importer: &schema.ResourceImporter{
 			StateContext: schema.ImportStatePassthroughContext,
 		},
-		CustomizeDiff: getMountCustomizeDiffFunc(consts.FieldPath),
-		Schema:        fields,
+		CustomizeDiff: schema.CustomizeDiffFunc(func(ctx context.Context, diff *schema.ResourceDiff, meta interface{}) error {
+			// Handle deny_null_bind default behavior
+			rawConfig := diff.GetRawConfig()
+			configValue := rawConfig.GetAttr(consts.FieldDenyNullBind)
+			if configValue.IsNull() {
+				// Field not set in config, ensure it defaults to true
+				if err := diff.SetNew(consts.FieldDenyNullBind, true); err != nil {
+					return err
+				}
+			}
+
+			// Apply mount customization
+			return getMountCustomizeDiffFunc(consts.FieldPath)(ctx, diff, meta)
+		}),
+		Schema: fields,
 	}, true)
 
 	// add automated rotation fields to the resource

vault/resource_ldap_auth_backend_test.go+68 −0 modified

@@ -344,6 +344,48 @@ func TestLDAPAuthBackend_tune_conflicts(t *testing.T) {
 	})
 }
 
+func TestLDAPAuthBackend_denyNullBindDefault(t *testing.T) {
+	t.Parallel()
+	path := acctest.RandomWithPrefix("tf-test-ldap-deny-null-bind")
+
+	resourceName := "vault_ldap_auth_backend.test"
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { testutil.TestAccPreCheck(t) },
+		ProtoV5ProviderFactories: testAccProtoV5ProviderFactories(context.Background(), t),
+		CheckDestroy:             testLDAPAuthBackendDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testLDAPAuthBackendConfig_denyNullBindNotSet(path),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "path", path),
+					// Verify deny_null_bind defaults to true when not explicitly set
+					resource.TestCheckResourceAttr(resourceName, "deny_null_bind", "true"),
+					testLDAPAuthBackendCheck_attrs(resourceName, path),
+				),
+			},
+			{
+				Config: testLDAPAuthBackendConfig_denyNullBindExplicitFalse(path),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "path", path),
+					// Verify deny_null_bind can be explicitly set to false
+					resource.TestCheckResourceAttr(resourceName, "deny_null_bind", "false"),
+					testLDAPAuthBackendCheck_attrs(resourceName, path),
+				),
+			},
+			{
+				Config: testLDAPAuthBackendConfig_denyNullBindNotSet(path),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "path", path),
+					// Verify deny_null_bind returns to default true when removed from config
+					resource.TestCheckResourceAttr(resourceName, "deny_null_bind", "true"),
+					testLDAPAuthBackendCheck_attrs(resourceName, path),
+				),
+			},
+			testutil.GetImportTestStep(resourceName, false, nil, "bindpass", "disable_remount"),
+		},
+	})
+}
+
 func testLDAPAuthBackendDestroy(s *terraform.State) error {
 	for _, rs := range s.RootModule().Resources {
 		if rs.Type != "vault_ldap_auth_backend" {
@@ -726,3 +768,29 @@ resource "vault_ldap_auth_backend" "test" {
 }
 `, path)
 }
+
+func testLDAPAuthBackendConfig_denyNullBindNotSet(path string) string {
+	return fmt.Sprintf(`
+resource "vault_ldap_auth_backend" "test" {
+    path        = "%s"
+    url         = "ldaps://example.org"
+    binddn      = "cn=example.com"
+    bindpass    = "supersecurepassword"
+    description = "Test LDAP auth backend for deny_null_bind behavior"
+    # deny_null_bind is intentionally not set to test default behavior
+}
+`, path)
+}
+
+func testLDAPAuthBackendConfig_denyNullBindExplicitFalse(path string) string {
+	return fmt.Sprintf(`
+resource "vault_ldap_auth_backend" "test" {
+    path            = "%s"
+    url             = "ldaps://example.org"
+    binddn          = "cn=example.com"
+    bindpass        = "supersecurepassword"
+    description     = "Test LDAP auth backend for deny_null_bind behavior"
+    deny_null_bind  = false
+}
+`, path)
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000