CVE-2025-3879: 
HashiCorp Vault vulnerability analysis and mitigation

Vault Community and Vault Enterprise ('Vault') Azure Auth method contained a vulnerability (CVE-2025-3879) where it failed to correctly validate the claims in the Azure-issued token, potentially allowing bypass of the bound_locations parameter on login. The vulnerability was discovered on May 2, 2025, affecting Vault Community Edition from version 0.10.0 up to 1.19.0 and Vault Enterprise from version 0.10.0 up to 1.19.0, 1.18.6, 1.17.13, 1.16.17 (HashiCorp Advisory, NVD Database).

The vulnerability stems from improper validation of user-provided vmname or vmssname login parameters against Azure-issued token claims. An attacker could potentially set a vmname or vmssname that satisfies login requirements to bypass the bound_location restriction. The issue has been assigned a CVSS v3.1 Base Score of 6.6 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H and is classified under CWE-863 (Incorrect Authorization) (NVD Database, Wiz Analysis).

The vulnerability could allow attackers to bypass geographical restrictions for logins to Vault that were intended to be enforced by the bound_locations parameter. This bypass could potentially compromise the geographical access control mechanisms put in place by system operators (HashiCorp Advisory).

HashiCorp has released fixes in Vault Community Edition 1.19.1 and Vault Enterprise versions 1.19.1, 1.18.7, 1.17.14, and 1.16.18. The patch ensures that the Azure auth method now requires user-provided resourcegroupname, vmname, and vmssname parameters to match the Azure AD token claims on login. Organizations are strongly advised to upgrade to these patched versions (HashiCorp Advisory).