VDB

HCSEC-2025-07

HCSEC-2025-07 PUBLISHED

**Bulletin ID:** HCSEC-2025-07 **Affected Products / Versions:** Vault Community Edition from 0.10.0 up to 1.19.0, fixed in 1.19.1. Vault Enterprise from 0.10.0 up to 1.19.0, 1.18.6, 1.17.13, 1.16.17, fixed in 1.19.1, 1.18.7, 1.17.14, 1.16.18. **Publication Date:** May 2, 2025 **Summary** Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. This vulnerability, identified as CVE-2025-3879, is fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18. **Background** The [Azure auth method](https://developer.hashicorp.com/vault/docs/auth/azure) authenticates users or machines to Vault using an assertion signed by Azure Active Directory for a configured tenant. The Azure auth method’s [bound_locations](https://developer.hashicorp.com/vault/api-docs/auth/azure#bound_locations) parameter can be set by an operator to enforce geographical restrictions for logins to Vault. **Details** The user-provided vm_name or vmss_name login parameters were not validated against the Azure-issued token claims. Setting a vm_name or vmss_name that would satisfy the login requirements could be used to bypass the bound_location restriction. The Azure auth method will now require the user-provided resource_group_name, vm_name, vmss_name parameters to match the Azure AD token claims on login. More information can be found in https://developer.hashicorp.com/vault/docs/auth/azure#token-validation. **Remediation** Customers should evaluate the risk associated with this issue and consider upgrading to Vault 1.19.1, 1.18.7, 1.17.14, 1.16.18, or newer. Please refer to [Upgrading Vault](https://developer.hashicorp.com/vault/docs/upgrading) for general guidance. **Acknowledgement** This issue was identified by HashiCorp’s external security assessment partner. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*

Timeline

  • May 2, 2025 CVE Published

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›