Ddos 
HashiCorp has disclosed a high-severity vulnerability in its workload orchestration tool, Nomad, which could allow attackers to escalate privileges by exploiting a flaw in the system’s Access Control List (ACL) policy lookup mechanism. Tracked as CVE-2025-4922, this vulnerability carries a CVSS score of 8.1, signaling a serious security risk for organizations using vulnerable versions of Nomad.
“Nomad prefix-based ACL policy lookup can lead to incorrect rule application and shadowing,” HashiCorp warned in its security advisory.
Nomad uses an optional ACL system to govern access to jobs, data, and APIs. This system is capability-based, meaning users are granted permissions via tokens tied to specific policies. However, the flaw stems from how Nomad matches jobs to their ACL policies—using a prefix-based lookup.
This lookup method can be tricked into applying the wrong policy by using job names that begin with the same string. For example, a privileged job named test-job could have its policies unintentionally inherited by a less privileged test-job-2 due to how the prefix match resolves.
“An attacker with the proper access could create a new job with a prefixed name… to inherit the same ACL policies as an already existing job,” the advisory explained. “This could allow running privileged jobs without explicitly configuring a new policy.”
The vulnerability affects both Nomad Community Edition and Nomad Enterprise, specifically:
- Nomad Community from version 1.4.0 to 1.10.1
- Nomad Enterprise from version 1.4.0 to 1.10.1, 1.9.9, and 1.8.13
The issue has been resolved in the following patched releases:
- Community: 1.10.2
- Enterprise: 1.10.2, 1.9.10, and 1.8.14
HashiCorp strongly advises users to upgrade to the fixed versions immediately.
Related Posts:
- JINX-0132: Cryptojackers Exploit Misconfigured DevOps Environments
- IBM Completes Acquisition of HashiCorp, Ushering in New Era of Hybrid Cloud Automation
- IBM Acquires HashiCorp in $6.4B Deal
Donate