CVE-2025-0937: 
Nomad vulnerability analysis and mitigation

Nomad Community and Nomad Enterprise ('Nomad') event stream configured with a wildcard namespace can bypass the ACL Policy allowing reads on other namespaces. The vulnerability was discovered and disclosed on February 12, 2025, affecting Nomad Community Edition versions from 1.0.0 up to 1.9.5 and Nomad Enterprise versions from 1.0.0 up to 1.9.5, 1.8.9, and 1.7.17 (HashiCorp Discuss).

The vulnerability exists in the event stream endpoint of Nomad, which is used to stream the server's backlog of events and new events as they occur. The issue specifically relates to how ACL wildcards are validated when the event stream namespace parameter is set to wildcard (*). The vulnerability emerges from a discrepancy in how ACL wildcards are validated, allowing potential bypass of intended access restrictions (HashiCorp Discuss).

The vulnerability allows unauthorized access to read events from namespaces that would otherwise be restricted by ACL policies. When exploited, an attacker could potentially access sensitive information from other namespaces that they should not have permission to view (HashiCorp Discuss).

The vulnerability has been fixed in Nomad Community Edition version 1.9.6 and Nomad Enterprise versions 1.9.6, 1.8.10, and 1.7.18. Users are advised to upgrade to these patched versions. Organizations should evaluate the risk associated with this issue and follow the Nomad upgrade guides for version-specific upgrade notes (HashiCorp Discuss).