Bulletin ID: HCSEC-2025-34
Affected Products / Versions: Terraform Enterprise up to 1.1.0, and 1.0.2; fixed in Terraform Enterprise 1.1.1, 1.0.3
Publication Date: November 21, 2025
Summary
Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise workspace. This may allow for the alteration of infrastructure if a subsequent plan operation is approved by a user with approval permission or is auto-applied. This vulnerability, CVE-2025-13432, is fixed in Terraform Enterprise version 1.1.1 and 1.0.3.
Background
In Terraform Enterprise, organization users are added to a Team. Teams can be granted permissions at the organization, project, and workspace levels. Each set of permissions is additive, and a Team’s effective permission is the sum of the permissions granted at each level of scope.
Details
A user, who is part of a Team that holds “Lock/Unlock workspace” permission and a combination of “View all workspaces” organization level permission or “Read” state access at the project or workspace level, can write a new state version within a workspace. Organization permission to “Manage all workspaces” or “Manage all projects” implicitly grants permission to lock or unlock a workspace.
This combination of permissions allows a user to create a new state version after locking a workspace, even if the user does not have “write” state access permission. Creating a new state version that differs from the previous version may cause a subsequent Terraform apply operation to alter infrastructure if the plan operation is approved by a user or is auto-applied. All infrastructure operations are correctly represented in the plan output. Previous state versions are not deleted or modified and can be rolled back to at any point.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Terraform Enterprise version 1.1.1 or 1.0.3.
Acknowledgement
This issue was identified by an external party who reported it to HashiCorp.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.