CVE-2025-3744

Published: May 13, 2025Modified: May 15, 2025

7.6

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Exploitability: 2.8 / Impact: 4.7

Source: NVD

Description

Nomad Enterprise (“Nomad”) jobs using the policy override option are bypassing the mandatory sentinel policies. This vulnerability, identified as CVE-2025-3744, is fixed in Nomad Enterprise 1.10.1, 1.9.9, and 1.8.13.

Affected (5)

Products: Hashicorp: Nomad

Hashicorp

1 product

Nomad

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Hashicorp Nomad	Before 1.8.13
Hashicorp Nomad	From 1.9.0 to 1.9.9
Hashicorp Nomad	Version 1.10.0
Hashicorp Nomad	Version 1.10.0 beta1
Hashicorp Nomad	Version 1.10.0 rc1

Related CWEs

CWE-266

Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

References (1)

https://discuss.hashicorp.com/t/hcsec-2025-08-nomad-enterprise-vulnerable-to-violation-of-mandatory-sentinel-policies-in-job-submissions-via-policy-override/74935

Source: security@hashicorp.com

Vendor Advisory

Timeline

No history available yet.