CVE-2025-4922
Nomad Prefix-Based ACL Policy Vulnerability (Insufficient ACL Resolution)
Description
Nomad Community and Nomad Enterprise (“Nomad”) prefix-based ACL policy lookup can lead to incorrect rule application and shadowing. This vulnerability, identified as CVE-2025-4922, is fixed in Nomad Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1.9.10, and 1.8.14.
INFO
Published Date :
June 11, 2025, 2:15 p.m.
Last Modified :
June 12, 2025, 4:06 p.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
5.2
Exploitability Score :
2.8
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-4922.
| URL | Resource |
|---|---|
| https://discuss.hashicorp.com/t/hcsec-2025-12-nomad-vulnerable-to-incorrect-acl-policy-lookup-attached-to-a-job/75396 |
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-4922 vulnerability anywhere in the article.
-
Daily CyberSecurity
3DMark Arrives Natively on macOS: Unleash & Benchmark Your Apple Silicon Performance
Previously available for iOS devices, the 3DMark performance benchmarking tool has now been officially released for the macOS platform, as announced by UL Solutions. This native macOS version addresse ... Read more
-
Cyber Security News
HashiCorp Nomad Vulnerability Allows Privilege Escalation via ACL Policy Lookup Exploit
A significant security vulnerability in HashiCorp Nomad workload orchestrator that allows attackers to escalate privileges by exploiting the Access Control List (ACL) policy lookup mechanism. The vuln ... Read more
-
Daily CyberSecurity
Flaw in PostgreSQL JDBC Driver (CVE-2025-49146) Exposes Database Connections to MITM Attacks!
A recently disclosed vulnerability in the PostgreSQL JDBC Driver (PgJDBC) could allow attackers to intercept database connections even when security settings are configured to prevent such attacks. Tr ... Read more
-
Daily CyberSecurity
High-Severity Flaw in HashiCorp Nomad (CVE-2025-4922) Allows Privilege Escalation
HashiCorp has disclosed a high-severity vulnerability in its workload orchestration tool, Nomad, which could allow attackers to escalate privileges by exploiting a flaw in the system’s Access Control ... Read more
The following table lists the changes that have been made to the
CVE-2025-4922 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
New CVE Received by [email protected]
Jun. 11, 2025
Action Type Old Value New Value Added Description Nomad Community and Nomad Enterprise (“Nomad”) prefix-based ACL policy lookup can lead to incorrect rule application and shadowing. This vulnerability, identified as CVE-2025-4922, is fixed in Nomad Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1.9.10, and 1.8.14. Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Added CWE CWE-266 Added Reference https://discuss.hashicorp.com/t/hcsec-2025-12-nomad-vulnerable-to-incorrect-acl-policy-lookup-attached-to-a-job/75396
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-4922 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-4922
weaknesses.