CVE-2025-4922 Overview
CVE-2025-4922 affects HashiCorp Nomad Community and Nomad Enterprise editions. The vulnerability resides in the prefix-based Access Control List (ACL) policy lookup logic. When Nomad evaluates ACL policies attached to a job, the prefix matching can cause incorrect rule application and policy shadowing. An authenticated operator can leverage this behavior to receive policy permissions that should not apply to their job, resulting in unauthorized access to resources within the Nomad cluster.
HashiCorp tracks this issue as HCSEC-2025-12 and has released fixed versions in Nomad Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1.9.10, and 1.8.14.
Critical Impact
Authenticated users can obtain ACL permissions beyond their intended scope, leading to unauthorized read and modify access on jobs and cluster resources.
Affected Products
- HashiCorp Nomad Community Edition prior to 1.10.2
- HashiCorp Nomad Enterprise prior to 1.10.2, 1.9.10, and 1.8.14
- Deployments using prefix-based ACL policies attached to jobs
Discovery Timeline
- 2025-06-11 - CVE-2025-4922 published to the National Vulnerability Database
- 2025-12-22 - Last updated in NVD database
Technical Details for CVE-2025-4922
Vulnerability Analysis
Nomad supports attaching ACL policies to jobs by specifying policy names. When Nomad resolves the attached policy, it performs a prefix-based lookup rather than an exact match. If multiple policies share a common naming prefix, the lookup can resolve to an unintended policy. This causes incorrect rule application: rules from a broader-scoped policy may be evaluated when a narrower policy was intended, or a more permissive policy may shadow a restrictive one. The flaw maps to [CWE-266: Incorrect Privilege Assignment].
The issue allows a low-privileged but authenticated principal to operate within the cluster under permissions that exceed their assigned scope. Confidentiality and integrity of workloads, secrets referenced by jobs, and cluster state are at risk. Availability is not directly impacted by the lookup flaw itself.
Root Cause
The defect originates in the ACL policy resolution code path. Policy names attached to a job specification are matched using prefix semantics rather than strict equality. Operators creating policies with hierarchical or shared naming conventions can unintentionally trigger the wrong policy binding. The behavior violates the principle of least privilege because evaluation collapses distinct policies into a single matched set.
Attack Vector
Exploitation requires network access to the Nomad API and valid credentials with permission to submit or update jobs. An attacker who controls a job submission can reference an ACL policy by a name whose prefix overlaps with a more privileged policy. The Nomad server then applies the unintended policy rules when evaluating subsequent operations performed in the context of that job. No user interaction is required, and complexity is low.
No verified public exploit code or proof-of-concept has been published. Refer to the HashiCorp HCSEC-2025-12 advisory for vendor technical details.
Detection Methods for CVE-2025-4922
Indicators of Compromise
- Job submissions referencing ACL policy names that share prefixes with higher-privileged policies
- Audit log entries showing job operations succeeding against resources the submitting identity should not access
- Unexpected reads or writes to namespaces, variables, or jobs by tokens assigned to narrower-scoped policies
Detection Strategies
- Enumerate all ACL policies and identify any names that share a leading prefix with another policy
- Review Nomad audit logs for job runs whose effective permissions exceed the attached policy's documented scope
- Compare token capability calls (acl token self) against the rules of the explicitly attached policy to detect drift
Monitoring Recommendations
- Enable Nomad audit logging on all servers and forward events to a centralized log platform for correlation
- Alert on job submissions that reference ACL policies whose names overlap by prefix with administrative or namespace-wide policies
- Track the Nomad server version reported by /v1/agent/self to confirm patched builds are deployed across the cluster
How to Mitigate CVE-2025-4922
Immediate Actions Required
- Upgrade Nomad Community Edition to 1.10.2 or later
- Upgrade Nomad Enterprise to 1.10.2, 1.9.10, or 1.8.14 depending on your supported release line
- Audit existing ACL policy names and rename any policies that share leading prefixes with other policies
- Rotate ACL tokens for any identity that may have benefited from the incorrect lookup behavior
Patch Information
HashiCorp released fixed builds for all supported branches. Operators should deploy nomad 1.10.2 for Community Edition, and 1.10.2, 1.9.10, or 1.8.14 for Enterprise. The vendor advisory is published as HCSEC-2025-12 on the HashiCorp Discuss forum.
Workarounds
- Restrict job submission privileges to a minimal set of trusted operators until patched versions are deployed
- Restructure ACL policy names so no policy name is a prefix of another policy name
- Review and tighten namespace ACLs to constrain blast radius for any token operating within the cluster
# Verify Nomad server version on each cluster member
nomad agent-info | grep -i version
# List ACL policies and inspect for prefix collisions
nomad acl policy list
nomad acl policy info <policy-name>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
