Token Exposure Vulnerability in Nomad Community and Enterprise by HashiCorp
CVE-2025-1296

6.5MEDIUM

Key Information:

Vendor
Hashicorp
Status
Nomad
Nomad Enterprise
Vendor
CVE Published:
10 March 2025

Badges

📰 News Worthy

Summary

Nomad Community and Nomad Enterprise by HashiCorp have a vulnerability that may expose sensitive workload identity tokens and client secret tokens in audit logs. This can lead to unauthorized access if exploited, allowing attackers to gain insights into the workloads and services running within the Nomad environment. HashiCorp has addressed this issue in the latest releases, specifically in Nomad Community Edition 1.9.7 and Nomad Enterprise versions 1.9.7, 1.8.11, and 1.7.19.

Affected Version(s)

Nomad 64 bit 1.0.0 < 1.9.7

Nomad Enterprise 64 bit 1.0.0 < 1.9.7

News Articles

favicon imageVulmon

CVE-2025-1296 Workload Identity Token Exposure in HashiCorp No...

Workload Identity Token Exposure in HashiCorp Nomad Prior to Patched Versions Nomad Community and Enterprise versions are susceptible to a security vulnerabili

References

https://discuss.hashicorp.com/t/hcsec-2025-04-nomad-expos...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📰

    First article discovered by Vulmon

  • Vulnerability published

  • Vulnerability Reserved

.