CVE-2025-0937
📋 TL;DR
This vulnerability allows attackers to bypass ACL policies in Nomad event streams configured with wildcard namespaces, enabling unauthorized read access to other namespaces. It affects Nomad Community and Nomad Enterprise deployments using wildcard namespace configurations with event streams.
💻 Affected Systems
- Nomad Community
- Nomad Enterprise
📦 What is this software?
Nomad by Hashicorp
Nomad by Hashicorp
Nomad by Hashicorp
Nomad by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of sensitive job data, configuration secrets, and namespace information across the entire Nomad cluster through unauthorized read access.
Likely Case
Information disclosure of job details, configurations, and potentially sensitive data from namespaces the attacker shouldn't have access to.
If Mitigated
Limited impact with proper namespace segregation and strict ACL policies already in place.
🎯 Exploit Status
Requires authenticated access and specific configuration conditions. Exploitation involves crafting requests to bypass namespace ACL checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Nomad 1.8.0 and later
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2025-02-nomad-vulnerable-to-event-stream-namespace-acl-policy-bypass-through-wildcard-namespace/73191
Restart Required: No
Instructions:
1. Upgrade Nomad to version 1.8.0 or later. 2. Update configuration files if needed. 3. No restart required for hot patching.
🔧 Temporary Workarounds
Disable wildcard namespace in event streams
allRemove wildcard (*) namespace configuration from event streams and specify explicit namespaces.
Update Nomad configuration to replace 'namespace = "*"' with specific namespace names in event stream settings
Restrict event stream access
allApply stricter ACL policies to limit which users/services can access event streams.
Review and update ACL policies to restrict event stream permissions
🧯 If You Can't Patch
- Implement network segmentation to restrict access to Nomad API endpoints
- Enhance monitoring and alerting for unusual event stream access patterns
🔍 How to Verify
Check if Vulnerable:
Check if Nomad version is below 1.8.0 AND event streams are configured with wildcard namespace (*) in ACL-enabled environments.Check Version:
nomad versionVerify Fix Applied:
Verify Nomad version is 1.8.0 or higher and test that event stream access respects namespace ACL policies.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to event streams
- Event stream requests crossing namespace boundaries without proper authorization
Network Indicators:
- Unusual patterns of event stream API calls from single sources
- Requests attempting to access multiple namespaces in short timeframes
SIEM Query:
source="nomad" AND (event_stream_access OR namespace_violation)