ACL Policy Lookup Issue in Nomad Community and Nomad Enterprise
CVE-2025-4922

8.1HIGH

Key Information:

Vendor: Hashicorp
Status: Nomad; Nomad Enterprise
Vendor: CVE Published:; 11 June 2025

What is CVE-2025-4922?

A significant issue in Nomad Community and Nomad Enterprise arises from the prefix-based ACL policy lookup mechanism. This flaw can lead to incorrect rule application and unintended shadowing of access controls. As a result, legitimate access may be inadvertently denied or malicious activity may go unmitigated. The identified vulnerability has been addressed in recent versions of both Nomad Community Edition and Nomad Enterprise, ensuring that ACL policies are correctly enforced. Users are advised to update to the latest versions to safeguard their deployments.

Affected Version(s)

Nomad 64 bit 1.4.0 < 1.10.2

Nomad Enterprise 64 bit 1.4.0 < 1.10.2

References

https://discuss.hashicorp.com/t/hcsec-2025-12-nomad-vulne...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2025
Vulnerability Reserved
May 18, 2025

Hashicorp

What is CVE-2025-4922?

Affected Version(s)

References

CVSS V3.1

Timeline