Nomad Community and Nomad Enterprise (“Nomad”) prefix-based ACL policy lookup can lead to incorrect rule application and shadowing. This vulnerability, identified as CVE-2025-4922, is fixed in Nomad Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1.9.10, and 1.8.14.
{
"cna_assigner": "HashiCorp",
"cwe_ids": [
"CWE-266"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/4xxx/CVE-2025-4922.json"
}{
"extracted_events": [
{
"introduced": "1.4.0"
},
{
"fixed": "1.8.14"
},
{
"fixed": "1.10.2"
},
{
"introduced": "1.9.0"
},
{
"fixed": "1.9.10"
},
{
"introduced": "1.10.0"
}
],
"cpe": [
"cpe:2.3:a:hashicorp:nomad:*:*:*:*:enterprise:*:*:*",
"cpe:2.3:a:hashicorp:nomad:*:*:*:*:-:*:*:*"
],
"source": "CPE_RANGE"
}