A major safety vulnerability in HashiCorp Nomad workload orchestrator that enables attackers to escalate privileges by exploiting the Entry Management Checklist (ACL) coverage lookup mechanism.
The vulnerability, tracked as CVE-2025-4922, impacts each Group and Enterprise editions of Nomad throughout a number of variations and poses a severe threat to organizations counting on the platform’s safety controls.
The flaw stems from incorrect prefix-based ACL coverage lookups that may result in unintended coverage rule shadowing, enabling malicious actors to inherit privileged entry by strategically naming new jobs with prefixed identifiers that match current high-privilege workloads.
Overview of Nomad ACL Privilege Escalation
The core of this safety flaw lies inside Nomad’s ACL system implementation, particularly in how the platform performs coverage lookups when associating jobs with their corresponding safety insurance policies.
Nomad’s ACL system operates on a capability-based mannequin the place tokens are linked to insurance policies that outline fine-grained entry guidelines and permissions.
Nevertheless, the susceptible variations implement a prefix-based lookup mechanism that fails to correctly validate coverage associations, creating a chance for privilege escalation assaults.
The assault vector is especially regarding on account of its simplicity and potential for abuse. An attacker with primary job creation privileges can exploit this vulnerability by creating a brand new job with a strategically crafted title that serves as a prefix match for an current high-privilege job.
For example, if a privileged job named “test-job” exists with elevated ACL insurance policies, an attacker may create a brand new job named “test-job-2” and robotically inherit the identical ACL insurance policies with out specific authorization.
This prefix-matching conduct bypasses the supposed safety controls and permits unauthorized entry to delicate operations that ought to require specific coverage configuration.
The technical implications of this vulnerability lengthen past easy privilege escalation. The wrong coverage lookup mechanism can lead to coverage rule shadowing, the place legit safety boundaries develop into ineffective on account of unintended coverage inheritance.
This creates a state of affairs the place the ACL system, designed to implement strict entry controls, turns into a vector for privilege escalation fairly than a protecting barrier.
The vulnerability is especially harmful in multi-tenant environments the place totally different groups or purposes share the identical Nomad cluster, because it may allow cross-tenant privilege escalation and unauthorized entry to delicate workloads.
Threat FactorsDetailsAffected Merchandise– Nomad Group Version 1.4.0 – 1.10.1 (mounted in 1.10.2)- Nomad Enterprise 1.4.0 – 1.10.1, 1.9.9, 1.8.13 (mounted in 1.10.2, 1.9.10, 1.8.14)ImpactPrivilege escalation through ACL coverage rule shadowing and incorrect coverage inheritanceExploit Stipulations– Legitimate consumer account with job creation privileges- Current job with ACL coverage to prefix-matchCVSS 3.1 Score7.8 (Excessive)
Affected Techniques
The vulnerability impacts a considerable vary of Nomad deployments throughout each Group and Enterprise editions.
Nomad Group Version variations from 1.4.0 as much as 1.10.1 are susceptible, whereas Nomad Enterprise is affected from model 1.4.0 as much as 1.10.1, with further particular susceptible variations together with 1.9.9 and 1.8.13.
This broad model vary signifies that organizations operating Nomad deployments put in or up to date throughout the previous a number of main launch cycles are doubtlessly in danger.
The safety implications are notably extreme for organizations that rely closely on Nomad’s ACL system for entry management and privilege separation.
In environments the place totally different purposes or groups share the identical Nomad cluster, this vulnerability may allow lateral motion and unauthorized entry to delicate workloads.
The power to inherit ACL insurance policies with out correct authorization successfully breaks the safety mannequin that organizations rely upon for isolating workloads and controlling entry to vital infrastructure parts.
The potential for privilege escalation in these environments may result in unauthorized entry to delicate information, configuration modifications, and even full cluster compromise, relying on the scope of inherited insurance policies.
Mitigations
HashiCorp has addressed this vulnerability by means of coordinated releases throughout a number of Nomad variations, demonstrating the corporate’s dedication to sustaining safety throughout supported product traces.
The fixes can be found in Nomad Group Version 1.10.2 and Nomad Enterprise variations 1.10.2, 1.9.10, and 1.8.14.
Organizations ought to prioritize upgrading to those patched variations instantly, notably these working in multi-tenant environments or dealing with delicate workloads.
The remediation course of ought to embrace a complete safety evaluation of current job configurations and ACL insurance policies.
Organizations ought to audit their present job naming conventions and coverage assignments to determine any cases the place the prefix-matching vulnerability might have been inadvertently exploited.
This evaluation ought to embody all energetic jobs and their related ACL insurance policies to make sure that no unauthorized privilege escalation has occurred previous to patching.
Further safety consists of establishing strict job naming conventions that forestall potential prefix conflicts, implementing common ACL coverage audits, and contemplating the adoption of extra granular entry controls that restrict job creation privileges to trusted customers solely.
Automate menace response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs throughout all endpoints -> Request full entry
