CVE-2025-13432
Terraform Enterprise state versions can be created by users with specific permissions without sufficient write access
Description
Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise workspace. This may allow for the alteration of infrastructure if a subsequent plan operation is approved by a user with approval permission or auto-applied. This vulnerability, CVE-2025-13432, is fixed in Terraform Enterprise version 1.1.1 and 1.0.3.
INFO
Published Date :
Nov. 21, 2025, 2:20 p.m.
Last Modified :
Nov. 21, 2025, 2:20 p.m.
Remotely Exploit :
No
Source :
HashiCorp
Affected Products
The following products are affected by CVE-2025-13432
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | 67fedba0-ff2e-4543-ba5b-aa93e87718cc |
Solution
- Update Terraform Enterprise to version 1.1.1 or later.
- Update Terraform Enterprise to version 1.0.3 or later.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-13432 vulnerability anywhere in the article.