Bulletin ID: HCSEC-2025-12
Affected Products / Versions:
Nomad Community Edition from 1.4.0 up to 1.10.1, fixed in 1.10.2.
Nomad Enterprise from 1.4.0 up to 1.10.1, 1.9.9, 1.8.13, fixed in 1.10.2, 1.9.10, and 1.8.14.
Publication Date: June 11, 2025
Summary
Nomad Community and Nomad Enterprise (“Nomad”) prefix-based ACL policy lookup can lead to incorrect rule application and shadowing. This vulnerability, identified as CVE-2025-4922, is fixed in Nomad Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1.9.10, and 1.8.14.
Background
Nomad provides an optional Access Control List (ACL) system which can be used to control access to data and APIs. The ACL system is capability-based, relying on tokens which are associated with policies to determine which fine grained rules can be applied. ACL Policies consist of a set of rules defining the capabilities or actions to be granted.
Details
It was discovered that getting ACL policies by job would perform a prefix-based lookup on the index which could result in policies being applied incorrectly causing unintentional policy rule shadowing. An attacker with the proper access could create a new job with a prefixed name (e.g: test-job-2) to inherit the same ACL policies as an already existing job (e.g: test-job). This could allow running privileged jobs without explicitly configuring a new policy.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.10.2, 1.9.10, 1.8.14, or newer.
Acknowledgement
This issue was identified by HashiCorp‘s Nomad engineering teams.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.