Cybersecurity Vulnerabilities

CVE-2025-13432: Critical Terraform Enterprise Security Flaw – Unauthorized State Version Creation

November 21, 2025 - By 

Overview

CVE-2025-13432 is a medium severity vulnerability affecting Terraform Enterprise. It allows a user with specific, but insufficient, permissions to create Terraform state versions within a workspace. This unauthorized state version creation can lead to the alteration of infrastructure if a subsequent plan operation based on the tampered state is approved (either manually or auto-applied).

Technical Details

The vulnerability stems from inadequate permission checks during the state version creation process. A user, who should not possess the ability to modify state directly, can leverage a specific combination of permissions to create a new state version. This newly created state version may contain malicious or unintended changes. If a plan is subsequently generated based on this altered state, and that plan is approved, the underlying infrastructure will be affected.

The vulnerability impacts Terraform Enterprise versions prior to 1.1.1 and 1.0.3.

CVSS Analysis

  • CVSS Score: 4.3 (Medium)
  • Vector String: (While not explicitly provided, a common vector might involve network access and user interaction.)
  • The CVSS score reflects the potential for unauthorized modification of infrastructure state, requiring user interaction (plan approval) to be fully exploited.

Possible Impact

The exploitation of CVE-2025-13432 can have significant consequences:

  • Infrastructure Tampering: Unauthorized modification of infrastructure configurations, potentially leading to misconfigurations, downtime, or security breaches.
  • Data Loss: Changes to infrastructure could inadvertently cause data loss or corruption.
  • Compliance Violations: Unapproved changes to infrastructure may violate compliance requirements.
  • Denial of Service: Malicious state changes could lead to infrastructure instability and denial of service.

Mitigation or Patch Steps

The vulnerability is fixed in the following Terraform Enterprise versions:

  • Terraform Enterprise 1.1.1
  • Terraform Enterprise 1.0.3

To mitigate the risk, immediately upgrade your Terraform Enterprise installation to one of the patched versions. Follow the official Terraform Enterprise upgrade documentation for detailed instructions. Regularly review and audit Terraform Enterprise user permissions to ensure least privilege is enforced.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *