CVE-2025-3879: Hashicorp Vault Community vulnerable to Incorrect Authorization

May 2, 2025 (updated May 6, 2025)

Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18.

References

discuss.hashicorp.com/t/hcsec-2025-07-vault-s-azure-authentication-method-bound-location-restriction-could-be-bypassed-on-login/74716
github.com/advisories/GHSA-f9ch-h8j7-8jwg
github.com/hashicorp/vault
nvd.nist.gov/vuln/detail/CVE-2025-3879
pkg.go.dev/vuln/GO-2025-3662

Code Behaviors & Features

Detect and mitigate CVE-2025-3879 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →