CVE-2025-11621
Authentication Bypass vulnerability in vault (Go)
What is CVE-2025-11621 About?
This is an authentication bypass vulnerability within Vault and Vault Enterprise's AWS Auth method, allowing unauthorized access under specific misconfigurations. Attackers can bypass authentication to the AWS Auth method, leading to unauthorized sensitive resource access. Exploitation ease depends on the `bound_principal_iam` role configuration, being simpler when roles are identical across accounts or use wildcards.
Affected Software
Technical Details
The vulnerability in Vault's AWS Auth method stems from inadequate validation when the bound_principal_iam setting is configured in a specific way. If the IAM role specified for bound_principal_iam is the same across multiple AWS accounts, or if it utilizes a wildcard, the authentication mechanism can be bypassed. This configuration weakness allows an attacker to authenticate to Vault as an authorized entity by presenting credentials that match the broadly defined bound_principal_iam role, even if those credentials originate from an unintended or unauthorized AWS account.
What is the Impact of CVE-2025-11621?
Successful exploitation may allow attackers to bypass authentication controls, gain unauthorized access to Vault resources, and potentially escalate privileges within the affected environment.
What is the Exploitability of CVE-2025-11621?
Exploitation of this vulnerability is considered to be of moderate complexity, primarily relying on specific configurations of the bound_principal_iam role in Vault's AWS Auth method. Attackers require a valid AWS identity with a role matching the misconfigured bound_principal_iam setting (either identical across accounts or using a wildcard). Authentication to Vault's AWS Auth method is necessary, but the vulnerability allows an unauthorized AWS identity to successfully authenticate. This is a remote exploitation scenario. No special conditions are explicitly stated other than the bound_principal_iam misconfiguration, but access to a valid AWS account with the exploitable IAM role would be a prerequisite. The likelihood of exploitation is significantly increased in environments where AWS IAM roles are not uniquely defined per account or where wildcards are used broadly in bound_principal_iam configurations.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-11621?
Available Upgrade Options
- github.com/hashicorp/vault
- >0.6.0, <1.21.0 → Upgrade to 1.21.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/hashicorp/vault/commit/8d07273d14ae7f5a48cc96f66cc86615dea83390
- https://discuss.hashicorp.com/t/hcsec-2025-30-vault-aws-auth-method-authentication-bypass-through-mishandling-of-cache-entries/76709
- https://discuss.hashicorp.com/t/hcsec-2025-30-vault-aws-auth-method-authentication-bypass-through-mishandling-of-cache-entries/76709
- https://nvd.nist.gov/vuln/detail/CVE-2025-11621
- https://osv.dev/vulnerability/GHSA-9g4h-h484-3578
- https://github.com/hashicorp/vault
What are Similar Vulnerabilities to CVE-2025-11621?
Similar Vulnerabilities: CVE-2021-32529 , CVE-2022-23647 , CVE-2023-28432 , CVE-2023-38407 , CVE-2024-21650
