CVE-2025-4922: 
Nomad vulnerability analysis and mitigation

A high-severity vulnerability (CVE-2025-4922) was discovered in HashiCorp's Nomad workload orchestration tool affecting both Community and Enterprise editions. The vulnerability exists in the Access Control List (ACL) policy lookup mechanism, where prefix-based ACL policy lookup can lead to incorrect rule application and shadowing. The issue affects Nomad Community Edition versions 1.4.0 to 1.10.1 and Nomad Enterprise versions 1.4.0 to 1.10.1, 1.9.9, and 1.8.13 (HashiCorp Advisory, Wiz).

The vulnerability stems from how Nomad performs prefix-based lookups on the index when getting ACL policies by job, which can result in policies being applied incorrectly and cause unintentional policy rule shadowing. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. This indicates that the vulnerability can be exploited over the network, requires low attack complexity and low privileges, needs no user interaction, and can result in high impacts to confidentiality and integrity (SecurityOnline).

The vulnerability can allow an attacker with proper access to create a new job with a prefixed name (e.g., test-job-2) to inherit the same ACL policies as an already existing job (e.g., test-job). This could enable running privileged jobs without explicitly configuring a new policy, potentially leading to privilege escalation and unauthorized access to resources (HashiCorp Advisory).

HashiCorp has released fixed versions to address this vulnerability. Users should upgrade to Nomad Community Edition 1.10.2 or Nomad Enterprise versions 1.10.2, 1.9.10, or 1.8.14. Organizations are advised to evaluate the risk associated with this issue and implement the upgrade as soon as possible (HashiCorp Advisory).