CVE-2025-0937 — Incorrect Authorization in Nomad

CWE-863 — Incorrect Authorization5 documents5 sources

Severity

7.1HIGHNVD

EPSS

0.2%

top 60.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Nomad Hashicorp Nomad Enterprise

Timeline

PublishedFeb 12

Description

Nomad Community and Nomad Enterprise ("Nomad") event stream configured with a wildcard namespace can bypass the ACL Policy allowing reads on other namespaces.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:NExploitability: 2.8 | Impact: 4.2

Affected Packages3 packages

▶CVEListV5hashicorp/nomad_enterprise1.0.0 — 1.9.6

▶CVEListV5hashicorp/nomad1.0.0 — 1.9.6

▶NVDhashicorp/nomad1.0.0 — 1.7.18+3

🔴Vulnerability Details

CVEList

Nomad Vulnerable To Event Stream Namespace ACL Policy Bypass Through Wildcard Namespace↗2025-02-12

▶

OSV

CVE-2025-0937: Nomad Community and Nomad Enterprise ("Nomad") event stream configured with a wildcard namespace can bypass the ACL Policy allowing reads on other nam↗2025-02-12

▶

GHSA

GHSA-5mx9-vcf9-4hvc: Nomad Community and Nomad Enterprise ("Nomad") event stream configured with a wildcard namespace can bypass the ACL Policy allowing reads on other nam↗2025-02-12

▶

📋Vendor Advisories

Red Hat

nomad: Nomad Vulnerable To Event Stream Namespace ACL Policy Bypass Through Wildcard Namespace↗2025-02-12

▶