Bulletin ID: HCSEC-2025-05
Affected Products / Versions: Terraform Enterprise up to v202502-1; fixed in v202502-2.
Publication Date: March 13, 2025
Summary
Terraform Enterprise’s single sign-on functionality is implemented using the Ruby SAML library, which disclosed two authentication bypass vulnerabilities exploitable by an XML signature wrapping attack. The vulnerabilities, CVE-2025-25291 and CVE-2025-25292, were addressed by an upgrade of the Ruby SAML version used in Terraform Enterprise v202502-2.
Background
Terraform Enterprise provides single sign-on (SSO) functionality via optional SAML integration with an identity provider (configuration docs, tutorial).
Details
Terraform Enterprise’s SSO functionality is implemented using the open source Ruby SAML library which recently disclosed two related authentication bypass vulnerabilities, CVE-2025-25291 and CVE-2025-25292. Additional information regarding these CVEs has been published by GitHub Security Lab.
The version of the Ruby SAML library in use by Terraform Enterprise has been upgraded to a newer release in which the vulnerability has been addressed.
This version of the library also addresses a denial of service vulnerability, CVE-2025-25293.
Remediation
Customers using Terraform Enterprise’s SSO feature should prioritize an upgrade to Terraform Enterprise v202502-2 or newer. Please refer to Upgrade Terraform Enterprise for general guidance and Terraform Enterprise Releases for version-specific upgrade notes.
Customers who use Terraform Enterprise’s SSO but are unable to upgrade to v202502-2 or newer in the near future should consider ensuring that Terraform Enterprise deployment/s are accessible only from trusted network locations.
Customers on a Replicated deployment of Terraform Enterprise should refer to Migrate to non-Replicated runtime. To ensure you receive the latest features and fixes, including security patches, please plan to migrate to a new deployment option immediately.
Acknowledgement
Thanks to Ruby SAML maintainers, GitHub Security Labs, ahacker1, and others involved in this coordinated disclosure.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.