CVE-2025-11621
BaseFortify
Publication date: 2025-10-23
Last updated on: 2025-12-29
Assigner: HashiCorp Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hashicorp | vault | From 0.6.0 (inc) to 1.16.27 (exc) |
| hashicorp | vault | From 0.6.0 (inc) to 1.21.0 (exc) |
| hashicorp | vault | From 1.18.0 (inc) to 1.18.15 (inc) |
| hashicorp | vault | From 1.19.0 (inc) to 1.19.11 (exc) |
| hashicorp | vault | From 1.20.0 (inc) to 1.20.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11621 is an authentication bypass vulnerability in HashiCorp Vault's AWS Auth method. It occurs because Vault caches AWS clients but does not verify the AWS account ID when checking this cache. If the configured bound_principal_iam role is the same across multiple AWS accounts or uses wildcards, an attacker with a matching role in a different AWS account can bypass authentication and obtain Vault tokens illegitimately. This flaw also exists in Vault's EC2 authentication method, allowing potential cross-account privilege escalation. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to bypass authentication controls and gain unauthorized access to Vault tokens. As a result, attackers may access sensitive data stored in Vault and potentially escalate privileges within the Vault environment, compromising the security of your systems and data. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking if your Vault deployment uses the AWS Auth method with the bound_principal_iam role configured identically across multiple AWS accounts or using wildcards in the ARN. You can inspect Vault configuration files or query Vault's auth methods to identify such configurations. For example, use the Vault CLI command `vault read auth/aws/config/client` to review AWS Auth method settings. Additionally, verify the Vault version to see if it is vulnerable (versions prior to Community Edition 1.21.0 or Enterprise versions prior to 1.21.0, 1.20.5, 1.19.11, and 1.16.27). There are no specific network detection commands provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Vault to the fixed versions: Vault Community Edition 1.21.0 or Vault Enterprise versions 1.21.0, 1.20.5, 1.19.11, or 1.16.27. Additionally, review and avoid using identical bound_principal_iam roles across multiple AWS accounts or wildcards in the ARN to prevent authentication bypass. Assess your Vault AWS Auth method configuration and restrict role bindings to specific AWS accounts to reduce exposure. [1]