InfoSecBulletin Cybersecurity for mankind
HashiCorp has revealed a critical vulnerability in its Nomad tool that may let attackers gain higher privileges by misusing the Access Control List (ACL) policy lookup. Identified as CVE-2025-4922, this vulnerability has a CVSS score of 8.1, indicating significant risk for organizations using affected Nomad versions.
“Nomad prefix-based ACL policy lookup can lead to incorrect rule application and shadowing,” HashiCorp warned in its security advisory.
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Nomad has an optional ACL system that controls access to jobs, data, and APIs. It’s capability-based, where users receive permissions through tokens linked to specific policies. The issue arises from Nomad’s method of matching jobs to ACL policies using prefix-based lookups.
This lookup method can be easily manipulated to implement incorrect policies by utilizing job names that share identical prefixes. For instance, a privileged job labeled test-job could inadvertently pass its policies to a less privileged job called test-job-2, resulting from the way the prefix matching operates.
“An attacker with the proper access could create a new job with a prefixed name… to inherit the same ACL policies as an already existing job,” the advisory explained. “This could allow running privileged jobs without explicitly configuring a new policy.”
The vulnerability affects both Nomad Community Edition and Nomad Enterprise, specifically:
Nomad Community from version 1.4.0 to 1.10.1
Nomad Enterprise from version 1.4.0 to 1.10.1, 1.9.9, and 1.8.13
The issue has been resolved in the following patched releases:
Community: 1.10.2
Enterprise: 1.10.2, 1.9.10, and 1.8.14
HashiCorp strongly advises users to upgrade to the fixed versions immediately.
