CVE-2025-1296: 
Nomad vulnerability analysis and mitigation

Nomad Community and Nomad Enterprise ('Nomad') are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. The vulnerability, identified as CVE-2025-1296, was discovered on March 10, 2025, affecting Nomad Community Edition from version 1.0.0 up to 1.9.6 and Nomad Enterprise from version 1.0.0 up to 1.9.6, 1.8.10, and 1.7.18. The issue has been fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise versions 1.9.7, 1.8.11, and 1.7.19 (HashiCorp Discussion).

The vulnerability stems from a logging utility within Nomad that writes unredacted workload identity tokens and client secret tokens to its event stream and log file. The issue is classified as CWE-532 (Insertion of Sensitive Information into Log File). The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The exposure of workload identity tokens and client secret tokens in audit logs could allow attackers who gain unauthorized access to these logs to impersonate users or gain access to protected resources. The workload identity feature is used to grant permissions to Nomad tasks within an allocation via a JWT signed by the leader's keyring, while the OIDC Client Secret is used for authentication with OIDC providers (HashiCorp Discussion).

Organizations are advised to upgrade to the fixed versions: Nomad Community Edition 1.9.7 or Nomad Enterprise versions 1.9.7, 1.8.11, or 1.7.19. Customers should evaluate the risk associated with this issue and implement the upgrade based on their security requirements (HashiCorp Discussion).