Bulletin ID: HCSEC-2025-07
Affected Products / Versions: Vault Community Edition from 0.10.0 up to 1.19.0, fixed in 1.19.1.
Vault Enterprise from 0.10.0 up to 1.19.0, 1.18.6, 1.17.13, 1.16.17, fixed in 1.19.1, 1.18.7, 1.17.14, 1.16.18.
Publication Date: May 2, 2025
Summary
Vault Community, Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the bound_locations parameter on login. This vulnerability, identified as CVE-2025-3879, is fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18.
Background
The Azure auth method authenticates users or machines to Vault using an assertion signed by Azure Active Directory for a configured tenant.
The Azure auth method’s bound_locations parameter can be set by an operator to enforce geographical restrictions for logins to Vault.
Details
The user-provided vm_name or vmss_name login parameters were not validated against the Azure-issued token claims. Setting a vm_name or vmss_name that would satisfy the login requirements could be used to bypass the bound_location restriction.
The Azure auth method will now require the user-provided resource_group_name, vm_name, vmss_name parameters to match the Azure AD token claims on login. More information can be found in Azure - Auth Methods | Vault | HashiCorp Developer.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault 1.19.1, 1.18.7, 1.17.14, 1.16.18, or newer. Please refer to Upgrading Vault for general guidance.
Acknowledgement
This issue was identified by HashiCorp’s external security assessment partner.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.