CVE-2025-11621: HashiCorp Vault and Vault Enterprise's AWS Auth method may be susceptible to authentication bypass
Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27.
References
- discuss.hashicorp.com/t/hcsec-2025-30-vault-aws-auth-method-authentication-bypass-through-mishandling-of-cache-entries/76709
- github.com/advisories/GHSA-9g4h-h484-3578
- github.com/hashicorp/vault
- github.com/hashicorp/vault/commit/8d07273d14ae7f5a48cc96f66cc86615dea83390
- nvd.nist.gov/vuln/detail/CVE-2025-11621
Code Behaviors & Features
Detect and mitigate CVE-2025-11621 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →