Bulletin ID: HCSEC-2025-08
Affected Products / Versions: Nomad Enterprise up to 1.10.0, 1.9.8, 1.8.12, fixed in 1.10.1, 1.9.9, and 1.8.13.
Publication Date: May 13, 2025
Summary
Nomad Enterprise (“Nomad”) jobs using the policy override option are bypassing the mandatory sentinel policies. This vulnerability, identified as CVE-2025-3744, is fixed in Nomad Enterprise 1.10.1, 1.9.9, and 1.8.13.
Background
Nomad Enterprise uses Sentinel to augment the built-in ACL system to provide advanced policy enforcement. This allows the Sentinel policy to control behavior based on any attribute within a job, such as the driver, resource requests, network configuration, volume configuration, and more. Nomad fully supports all Sentinel enforcement levels. This enables any policy to be a warning (advisory), allow overrides (soft mandatory), or be absolutely mandatory (hard mandatory). The -policy-override flag in Nomad jobs is used to force overrides on soft mandatory Sentinel policies.
Details
It was discovered that hard mandatory Sentinel policies configured within Nomad Enterprise jobs can be bypassed when the -policy-override flag is provided during the job submission leading to execution of jobs that defy hard mandatory policy constraints.
Remediation
Customers using hard mandatory policies in Nomad Enterprise should evaluate the risk associated with this issue and consider upgrading to Nomad Enterprise 1.10.1, 1.9.9, and 1.8.13, or newer.
Acknowledgement
This issue was identified by the Kraken Security team.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.