CVE-2025-4922 in Nomad
Summary
by MITRE • 06/11/2025
Nomad Community and Nomad Enterprise (“Nomad”) prefix-based ACL policy lookup can lead to incorrect rule application and shadowing. This vulnerability, identified as CVE-2025-4922, is fixed in Nomad Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1.9.10, and 1.8.14.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/22/2025
The vulnerability CVE-2025-4922 affects Nomad Community and Nomad Enterprise versions prior to their respective patched releases, specifically targeting the prefix-based access control list policy lookup mechanism. This flaw represents a critical security weakness in the authorization system that governs how Nomad processes access control decisions for various operations within its distributed workload management platform. The issue manifests when Nomad evaluates ACL policies based on prefix matching, where the system may incorrectly apply rules due to improper handling of policy hierarchy and rule precedence. This misbehavior can lead to unauthorized access to resources or unintended restriction of legitimate operations, fundamentally undermining the security posture of systems relying on Nomad's access control mechanisms.
The technical root cause of this vulnerability lies in how Nomad processes and matches ACL policies when using prefix-based patterns for resource identification. When multiple policies exist with overlapping or nested prefixes, the system fails to correctly determine which policy should take precedence, resulting in shadowing behavior where a less restrictive policy inadvertently overrides a more restrictive one. This issue is particularly concerning in complex deployment environments where administrators configure multiple policies for different namespaces, jobs, or resources, as the prefix matching logic does not properly account for the hierarchical nature of these rules. The flaw operates at the policy evaluation layer, where the system's decision-making process for access control fails to properly resolve conflicts between similar prefix patterns, leading to unpredictable authorization outcomes.
The operational impact of CVE-2025-4922 extends beyond simple access control failures, potentially enabling privilege escalation scenarios where unauthorized users might gain access to restricted resources or sensitive data within Nomad-managed environments. Organizations using Nomad for container orchestration and distributed application deployment face significant risk of unauthorized access to their workload management systems, which could lead to data breaches, service disruption, or compromise of the entire infrastructure. The vulnerability affects both Community and Enterprise editions, meaning that organizations using either version are equally at risk, though Enterprise users have multiple patched versions available for different release streams. This affects critical infrastructure components where Nomad serves as the primary orchestration platform for containerized applications, making the potential impact substantial across enterprise environments.
Security practitioners should immediately implement mitigation strategies including updating to the patched versions of Nomad as specified in the advisory, which includes Nomad Community Edition 1.10.2 and Nomad Enterprise versions 1.10.2, 1.9.10, and 1.8.14. The fix addresses the core policy evaluation logic to ensure proper prefix matching and rule precedence handling, preventing the shadowing behavior that led to incorrect rule application. Organizations should conduct thorough audits of their existing ACL policies to identify potential conflicts that might have been masked by this vulnerability, particularly focusing on policies with overlapping prefix patterns. This vulnerability aligns with CWE-284 Access Control Issues, specifically addressing improper access control enforcement through flawed policy resolution mechanisms. From an ATT&CK framework perspective, this vulnerability could enable initial access and privilege escalation techniques, potentially allowing adversaries to move laterally within Nomad-managed environments. The mitigation process should include comprehensive testing of updated policy configurations to ensure that access controls function as intended, with particular attention to verifying that more restrictive policies take precedence over less restrictive ones in scenarios involving overlapping resource prefixes.