HCSEC-2025-02 - Nomad Vulnerable To Event Stream Namespace ACL Policy Bypass Through Wildcard Namespace

Bulletin ID: HCSEC-2025-02
Affected Products / Versions:
Nomad Community Edition from 1.0.0 up to 1.9.5, fixed in 1.9.6.
Nomad Enterprise from 1.0.0 up to 1.9.5, 1.8.9, 1.7.17, fixed in 1.9.6, 1.8.10, and 1.7.18.

Publication Date: February 12, 2025

Summary
Nomad Community and Nomad Enterprise (“Nomad”) event stream configured with a wildcard namespace can bypass the ACL Policy allowing reads on other namespaces. This vulnerability, identified as CVE-2025-0937, is fixed in Nomad Community Edition 1.9.6 and Nomad Enterprise 1.9.6, 1.8.10, and 1.7.18.

Background
The event stream endpoint in Nomad is used to stream the server’s backlog of events as well as new events as they occur. The stream will be kept alive until the connection is closed. The format of the response body is a valid ndjson. The event stream namespace parameter specifies the target namespace to filter events on. Specifying a wildcard (*) includes all namespaces for event types that support namespaces. If you specify all namespaces (*) you’ll either need a management token, or an ACL Policy that explicitly applies to all namespaces (*).

Details
The vulnerability is exploitable when reading from the event stream endpoint with a wildcard namespace which can be used to bypass the ACL policy checks that would not otherwise permit access to a given namespace due to a discrepancy in how ACL wildcards are validated.

Remediation
Customers using the event stream endpoint should evaluate the risk associated with this issue and consider upgrading to Nomad 1.9.6, 1.8.10, 1.7.18, or newer.

Please refer to Upgrading Nomad for general guidance and the Upgrade Guides for version-specific upgrade notes.

Acknowledgement
This issue was identified by HashiCorp‘s Nomad engineering teams.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.