CVE-2025-1296 – github.com/hashicorp/nomad

Package

Manager: go
Name: github.com/hashicorp/nomad
Vulnerable Version: >=0 <=1.9.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00022 pctl0.04329

Details

Nomad is vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. This vulnerability, identified as CVE-2025-1296, is fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise 1.9.7, 1.8.11, and 1.7.19.

Metadata

Created: 2025-03-10T18:31:57Z
Modified: 2025-03-14T20:04:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-c3q9-q986-vrwh/GHSA-c3q9-q986-vrwh.json
CWE IDs: ["CWE-532"]
Alternative ID: GHSA-c3q9-q986-vrwh
Finding: F076
Auto approve: 1