CVE-2025-13432

MEDIUM EPSS 5.4%

Published Nov 21, 20257mo ago · Modified Jun 17, 20261w ago

4.3 CVSS 3.1

Medium

Published Nov 21, 2025 7mo ago

Last Modified Jun 17, 2026 1w ago

Description

Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise workspace. This may allow for the alteration of infrastructure if a subsequent plan operation is approved by a user with approval permission or auto-applied. This vulnerability, CVE-2025-13432, is fixed in Terraform Enterprise version 1.1.1 and 1.0.3.

CVSS Details

Base Score

4.3

Exploitability

2.8

Impact

1.4

Vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality None

Integrity Low

Availability None

Threat Intelligence

EPSS Exploit Probability

5.4% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-863 Incorrect Authorization Authorization

Affected Products 2

Vendor	Product	Version	Range
hashicorp	terraform	*	≥1.0.0 – <1.0.3
hashicorp	terraform	1.1.0	any

References 1

discuss.hashicorp.com https://discuss.hashicorp.com/t/hcsec-2025-34-terraform-enterprise-state-versions-can-be-created-by-users-without-sufficient-write-access/76821

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.