CVE-2025-13432
📋 TL;DR
In Terraform Enterprise, users with specific but insufficient permissions can create state versions in workspaces, potentially allowing infrastructure alteration if subsequent plan operations are approved or auto-applied. This affects organizations using Terraform Enterprise with workspace-based permissions. The vulnerability is an authorization bypass that could lead to unauthorized infrastructure changes.
💻 Affected Systems
- Terraform Enterprise
📦 What is this software?
Terraform by Hashicorp
Terraform by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
An attacker with limited permissions could modify Terraform state to alter production infrastructure, potentially causing service disruption, data loss, or security breaches.
Likely Case
Accidental or intentional state modifications by users with partial permissions could cause infrastructure drift or configuration errors requiring manual remediation.
If Mitigated
With proper approval workflows and monitoring, unauthorized changes would be caught before application, limiting impact to administrative overhead.
🎯 Exploit Status
Requires authenticated user with specific workspace permissions and either approval bypass or auto-apply configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.1 or 1.0.3
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2025-34-terraform-enterprise-state-versions-can-be-created-by-users-without-sufficient-write-access/76821
Restart Required: Yes
Instructions:
1. Backup Terraform Enterprise instance. 2. Upgrade to version 1.1.1 (latest) or 1.0.3 (stable). 3. Restart Terraform Enterprise services. 4. Verify upgrade completion.
🔧 Temporary Workarounds
Tighten workspace permissions
allReview and restrict workspace permissions to ensure only authorized users can create state versions and approve plans.
Disable auto-apply
allDisable auto-apply in workspace settings to require manual approval for all plan applications.
🧯 If You Can't Patch
- Implement strict approval workflows requiring multiple reviewers for all plan applications
- Enable detailed audit logging for all state version creation and plan approval activities
🔍 How to Verify
Check if Vulnerable:
Check Terraform Enterprise version via admin UI or API. If version is below 1.1.1 and not 1.0.3, system is vulnerable.Check Version:
curl -H "Authorization: Bearer <token>" https://<tfe-hostname>/api/v2/pingVerify Fix Applied:
Confirm version is 1.1.1 or 1.0.3 via admin interface or API endpoint.📡 Detection & Monitoring
Log Indicators:
- Unauthorized state version creation attempts
- Plan approvals from unexpected users
- State modifications without proper permissions
Network Indicators:
- API calls to create state versions from unauthorized users
SIEM Query:
source="terraform-enterprise" AND (event="state_version_created" OR event="plan_applied") | stats count by user, workspace