CVE-2025-1296
📋 TL;DR
Nomad audit logs unintentionally expose sensitive workload identity tokens and client secret tokens. This allows attackers with access to audit logs to impersonate workloads or clients. Affects Nomad Community and Enterprise editions before patched versions.
💻 Affected Systems
- Nomad Community
- Nomad Enterprise
📦 What is this software?
Nomad by Hashicorp
Nomad by Hashicorp
Nomad by Hashicorp
Nomad by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain workload identity tokens and client secret tokens, enabling them to impersonate legitimate workloads or clients, potentially accessing sensitive data or performing unauthorized actions.
Likely Case
Internal actors or attackers with log access harvest tokens for lateral movement or privilege escalation within the Nomad environment.
If Mitigated
With proper log access controls and monitoring, exposure is limited to authorized personnel only, reducing risk of token misuse.
🎯 Exploit Status
Exploitation requires access to audit logs where tokens are exposed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Nomad Community 1.9.7, Nomad Enterprise 1.9.7, 1.8.11, or 1.7.19
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2025-04-nomad-exposes-sensitive-workload-identity-and-client-secret-token-in-audit-logs/73737
Restart Required: Yes
Instructions:
1. Backup configuration and data. 2. Download patched version from HashiCorp. 3. Stop Nomad service. 4. Install patched version. 5. Restart Nomad service. 6. Verify version and functionality.
🔧 Temporary Workarounds
Disable audit logging
allTemporarily disable audit logging to prevent token exposure until patching.
nomad audit disable
Restrict audit log access
allImplement strict access controls and encryption for audit log storage.
🧯 If You Can't Patch
- Implement strict access controls on audit log storage and transmission
- Monitor audit logs for unauthorized access attempts and token harvesting patterns
🔍 How to Verify
Check if Vulnerable:
Check Nomad version and audit log configuration. If audit logging is enabled and version is below patched versions, system is vulnerable.Check Version:
nomad versionVerify Fix Applied:
Verify Nomad version is 1.9.7 or higher (Community) or 1.9.7/1.8.11/1.7.19 (Enterprise). Confirm audit logs no longer contain sensitive tokens.📡 Detection & Monitoring
Log Indicators:
- Audit logs containing workload identity tokens or client secret tokens in plaintext
- Unauthorized access attempts to audit log files
Network Indicators:
- Unusual token usage patterns from unexpected sources
SIEM Query:
source="nomad_audit.log" AND (token OR secret) AND NOT hash