CVE-2025-1296 — Log File Information Exposure in Nomad

CWE-532 — Log File Information Exposure6 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 80.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Nomad Hashicorp Nomad Enterprise Github.com Hashicorp Nomad

Timeline

PublishedMar 10

Latest updateMar 13

Description

Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. This vulnerability, identified as CVE-2025-1296, is fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise 1.9.7, 1.8.11, and 1.7.19.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5hashicorp/nomad_enterprise1.0.0 — 1.9.7

▶CVEListV5hashicorp/nomad1.0.0 — 1.9.7

▶NVDhashicorp/nomad1.0.0 — 1.7.19+3

▶Gogithub.com/hashicorp_nomad< 1.9.7+1

🔴Vulnerability Details

OSV

Unintentional exposure of the workload identity token and client secret in logs in github.com/hashicorp/nomad↗2025-03-13

▶

OSV

Nomad is vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs↗2025-03-10

▶

OSV

CVE-2025-1296: Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client secret token in audi↗2025-03-10

▶

CVEList

Nomad Exposes Sensitive Workload Identity and Client Secret Token in Audit Logs↗2025-03-10

▶

GHSA

Nomad is vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs↗2025-03-10

▶