VDB

HCSEC-2025-04

HCSEC-2025-04 PUBLISHED

**Bulletin ID:** HCSEC-2025-04 **Affected Products / Versions:** Nomad Community Edition from 1.0.0 up to 1.9.6, fixed in 1.9.7. Nomad Enterprise from 1.0.0 up to 1.9.6, 1.8.10, 1.7.18, fixed in 1.9.7, 1.8.11, and 1.7.19. **Publication Date:** March 10, 2025 **Summary** Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. This vulnerability, identified as CVE-2025-1296, is fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise 1.9.7, 1.8.11, and 1.7.19. **Background** Nomad’s[ audit block](https://developer.hashicorp.com/nomad/docs/configuration/audit) configuration allows it to enable audit logs, defines a sink to stream audit logs to, and modify filter rules to exclude events from the audit log. The[ workload identity](https://developer.hashicorp.com/nomad/docs/concepts/workload-identity) feature is used to grant permission to a Nomad task within an allocation, via a JWT signed by the leader's keyring. The[ OIDC Client Secret](https://developer.hashicorp.com/nomad/api-docs/acl/auth-methods#oidcclientsecret) is the OAuth client secret configured with your OIDC provider that can be set under[ Config (ACLAuthMethodConfig) block](https://developer.hashicorp.com/nomad/api-docs/acl/auth-methods#config) in the[ ACL auth methods HTTP API](https://developer.hashicorp.com/nomad/api-docs/acl/auth-methods). **Details** It was discovered that a logging utility within Nomad would write the unredacted workload identity token and client secret token to its event stream and log file. As a result, a potential unauthorized access to these logs could expose workload identity tokens, allowing attackers to impersonate users or gain access to protected resources through the exposed client secret token in logs. **Remediation** Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.9.7, 1.8.11, 1.7.19, or newer. **Acknowledgement** This issue was identified by HashiCorp‘s Nomad engineering teams, in collaboration with HashiCorp’s support engineering teams. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*

Timeline

  • Mar 10, 2025 CVE Published

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›