InfoSecBulletin Cybersecurity for mankind
HashiCorp has revealed a critical vulnerability in its Nomad tool that may let attackers gain higher privileges by misusing the Access Control List (ACL) policy lookup. Identified as CVE-2025-4922, this vulnerability has a CVSS score of 8.1, indicating significant risk for organizations using affected Nomad versions.
“Nomad prefix-based ACL policy lookup can lead to incorrect rule application and shadowing,” HashiCorp warned in its security advisory.
Paraguay 7.4 Million Citizen Records Leaked on Dark Web
High-Severity Flaw in HashiCorp Nomad Allows Privilege Escalation
SoftBank: Over 137,000 personal info leaked
Alert
Trend Micro Apex One Flaw Allow Attackers to Inject Malicious Code
Zero-Click AI Vulnerability Exposes Microsoft 365 Copilot Data Without User Action
Adobe Releases Patch Fixing 254 Vulnerabilities With High-Severity Security Gaps
Alert
40,000 + live internet cameras exposed globally !
Microsoft patch Tuesday fix exploited zero-day and 65 vuls patched
84,000+ Roundcube instances vulnerable to actively exploited flaw
CVE-2025-24016
Critical Wazuh RCE Actively Exploited by Mirai Botnets
Nomad has an optional ACL system that controls access to jobs, data, and APIs. It’s capability-based, where users receive permissions through tokens linked to specific policies. The issue arises from Nomad’s method of matching jobs to ACL policies using prefix-based lookups.
This lookup method can be easily manipulated to implement incorrect policies by utilizing job names that share identical prefixes. For instance, a privileged job labeled test-job could inadvertently pass its policies to a less privileged job called test-job-2, resulting from the way the prefix matching operates.
“An attacker with the proper access could create a new job with a prefixed name… to inherit the same ACL policies as an already existing job,” the advisory explained. “This could allow running privileged jobs without explicitly configuring a new policy.”
The vulnerability affects both Nomad Community Edition and Nomad Enterprise, specifically:
Nomad Community from version 1.4.0 to 1.10.1
Nomad Enterprise from version 1.4.0 to 1.10.1, 1.9.9, and 1.8.13
The issue has been resolved in the following patched releases:
Community: 1.10.2
Enterprise: 1.10.2, 1.9.10, and 1.8.14
HashiCorp strongly advises users to upgrade to the fixed versions immediately.
