CVE-2025-3879 Information

Description

Vault Community Vault Enterprise (“Vault”) Azure Auth method did not correctly validate the claims in the Azure-issued token resulting in the potential bypass of the bound_locations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1 1.18.7 1.17.14 1.16.18.

Reference

https://discuss.hashicorp.com/t/hcsec-2025-07-vault-s-azure-authentication-method-bound-location-restriction-could-be-bypassed-on-login/74716