CVE-2025-0937

High

Published: 12 February 2025

Published

12 February 2025

Modified

15 December 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0018 39.0th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Nomad Community and Nomad Enterprise ("Nomad") event stream configured with a wildcard namespace can bypass the ACL Policy allowing reads on other namespaces.

Security Summary

CVE-2025-0937 affects Nomad Community and Nomad Enterprise, where an event stream configured with a wildcard namespace can bypass ACL policies, enabling reads on other namespaces. This vulnerability, published on 2025-02-12T19:15:09.687, carries a CVSS score of 7.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N) and is classified under CWE-863 (Incorrect Authorization).

An attacker requires low privileges (PR:L) to exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants high confidentiality impact (C:H) by allowing unauthorized reads of data in other namespaces, alongside low integrity impact (I:L) and no availability impact (A:N), without changing the scope (S:U).

The HashiCorp security advisory provides details on this issue at https://discuss.hashicorp.com/t/hcsec-2025-02-nomad-vulnerable-to-event-stream-namespace-acl-policy-bypass-through-wildcard-namespace/73191.

Details

CWE(s): CWE-863

Affected Products

hashicorp

nomad

1.0.0 — 1.7.18 · 1.0.0 — 1.9.6 · 1.8.0 — 1.8.10

References

https://discuss.hashicorp.com/t/hcsec-2025-02-nomad-vulnerable-to-event-stream-namespace-acl-policy-bypass-through-wildcard-namespace/73191
Vendor Advisory · security@hashicorp.com