CVE-2025-3744: 
Nomad vulnerability analysis and mitigation

A critical security vulnerability was discovered in Nomad Enterprise where jobs using the policy override option could bypass mandatory sentinel policies. The vulnerability (CVE-2025-3744) was identified in May 2025 and affects Nomad Enterprise versions up to 1.10.0, 1.9.8, and 1.8.12. The issue has been addressed with fixes released in versions 1.10.1, 1.9.9, and 1.8.13 (Vendor Advisory, NVD).

The vulnerability allows hard mandatory Sentinel policies configured within Nomad Enterprise jobs to be bypassed when the -policy-override flag is provided during job submission. This bypass enables the execution of jobs that violate hard mandatory policy constraints. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.6 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L and is classified as CWE-266 (Incorrect Privilege Assignment) (Wiz, NVD).

The vulnerability compromises Nomad Enterprise's security policy enforcement mechanism, potentially allowing unauthorized job executions that should be restricted by hard mandatory policies. This could lead to violations of security policies, resource constraints, and other mandatory organizational requirements that are typically enforced through Sentinel policies (Wiz).

Organizations using hard mandatory policies in Nomad Enterprise should upgrade to the fixed versions: Nomad Enterprise 1.10.1, 1.9.9, or 1.8.13 or newer. HashiCorp recommends evaluating the risk associated with this issue and implementing the upgrade as soon as possible (Vendor Advisory).

The vulnerability was identified and reported by the Kraken Security team, demonstrating the active security research community's involvement in identifying and responsibly disclosing Nomad Enterprise vulnerabilities (Vendor Advisory).