**Bulletin ID:** HCSEC-2025-05 **Affected Products / Versions:** Terraform Enterprise up to v202502-1; fixed in v202502-2. **Publication Date:** March 13, 2025 **Summary** Terraform Enterprise’s single sign-on functionality is implemented using the Ruby SAML library, which disclosed two authentication bypass vulnerabilities exploitable by an XML signature wrapping attack. The vulnerabilities, CVE-2025-25291 and CVE-2025-25292, were addressed by an upgrade of the Ruby SAML version used in Terraform Enterprise v202502-2. **Background** Terraform Enterprise provides single sign-on (SSO) functionality via optional SAML integration with an identity provider ([configuration docs](https://developer.hashicorp.com/terraform/enterprise/saml/configuration), [tutorial](https://developer.hashicorp.com/terraform/tutorials/enterprise/enable-sso-saml-tfe-okta)). **Details** Terraform Enterprise’s SSO functionality is implemented using the open source [Ruby SAML](https://github.com/SAML-Toolkits/ruby-saml) library which recently disclosed two related authentication bypass vulnerabilities, [CVE-2025-25291](https://www.cve.org/CVERecord?id=CVE-2025-25291) and [CVE-2025-25292](https://www.cve.org/CVERecord?id=CVE-2025-25292). Additional information regarding these CVEs has [been published](https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/) by GitHub Security Lab. The version of the Ruby SAML library in use by Terraform Enterprise has been upgraded to a newer release in which the vulnerability has been addressed. This version of the library also addresses a denial of service vulnerability, [CVE-2025-25293](https://www.cve.org/CVERecord?id=CVE-2025-25293). **Remediation** Customers using Terraform Enterprise’s SSO feature should prioritize an upgrade to Terraform Enterprise v202502-2 or newer. Please refer to [Upgrade Terraform Enterprise](https://developer.hashicorp.com/terraform/enterprise/deploy/manage/upgrade) for general guidance and [Terraform Enterprise Releases](https://developer.hashicorp.com/terraform/enterprise/releases) for version-specific upgrade notes. Customers who use Terraform Enterprise’s SSO but are unable to upgrade to v202502-2 or newer in the near future should consider ensuring that Terraform Enterprise deployment/s are accessible only from trusted network locations. Customers on a Replicated deployment of Terraform Enterprise should refer to [Migrate to non-Replicated runtime](https://developer.hashicorp.com/terraform/enterprise/deploy/replicated-migration). To ensure you receive the latest features and fixes, including security patches, please plan to migrate to a new deployment option immediately. **Acknowledgement** Thanks to Ruby SAML maintainers, GitHub Security Labs, ahacker1, and others involved in this coordinated disclosure. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*