VDB
CVE-2025-3879
CVE-2025-3879
PUBLISHED
Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18.
EPSS 0.23% · 45.7th percentile
Risk Scores
EPSS Score
0.23%
45.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | vault | 0.10.0 |
| Bitnami | vault | 0.10.0 |
Exploit Intelligence
- CIRCL published-proof-of-concept: CVE-2025-3879 (circl-sighting)
- CIRCL seen: CVE-2025-3879 (circl-sighting)
- CIRCL seen: CVE-2025-3879 (circl-sighting)
- CIRCL seen: CVE-2025-3879 (circl-sighting)
- https://discuss.hashicorp.com/t/hcsec-2025-07-vault-s-azure-authentication-method-bound-location-restriction-could-be-bypassed-on-login/74716 (circl)
Timeline
- May 2, 2025 CVE Published
- May 2, 2025 PoC Published
- May 2, 2025 PoC Published
- May 2, 2025 PoC Published
- May 2, 2025 PoC Published
- May 3, 2025 EPSS Score
- May 6, 2025 CVE Updated
- May 15, 2025 EPSS Score
- May 27, 2025 EPSS Score
- Jun 7, 2025 EPSS Score
- Jun 14, 2025 Coalition ESS Score
- Jun 19, 2025 EPSS Score