Moderate severityNVD Advisory· Published Oct 11, 2022· Updated May 20, 2025

CVE-2022-41606

Description

HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can be used to crash client agents. Fixed in 1.2.13, 1.3.6, and 1.4.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

HashiCorp Nomad 1.0.2-1.2.12 and 1.3.5 crashes when job with invalid S3/GCS artifact URL is submitted, enabling denial of service.

Root

Cause The vulnerability lies in Nomad's artifact stanza, which uses HashiCorp's go-getter library to fetch artifacts from S3 or GCS. When a job is submitted with an invalid S3 or GCS URL, the go-getter library triggers a panic that crashes the Nomad client agent, rather than handling the error gracefully [1][4].

Exploitation

An attacker with authenticated access to submit jobs to a Nomad cluster can exploit this by crafting a job specification containing a malformed S3 or GCS URL in an artifact stanza. No special network position or additional privileges are required beyond the ability to submit jobs [4].

Impact

Successful exploitation causes the Nomad client agent to crash, resulting in a denial of service condition. This can disrupt workload execution and cluster stability, potentially affecting all jobs running on the targeted client node [4].

Mitigation

HashiCorp has addressed this issue in Nomad versions 1.2.13, 1.3.6, and 1.4.0 by modifying the go-getter integration to recover from panics during artifact retrieval. Users are strongly advised to upgrade to these versions or later to prevent exploitation [1][4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/hashicorp/nomadGo	< 1.2.13	1.2.13
github.com/hashicorp/nomadGo	>= 1.3.0, < 1.3.6	1.3.6

Affected products

HashiCorp/Nomaddescription
ghsa-coords
pkg:golang/github.com/hashicorp/nomad
Range: < 1.2.13

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-7v3g-4878-5qrfghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-41606ghsaADVISORY
discuss.hashicorp.comghsaWEB
discuss.hashicorp.com/t/hcsec-2022-22-nomad-panics-on-job-submission-with-bad-artifact-stanza-source-url/45420ghsaWEB
pkg.go.dev/vuln/GO-2022-1062ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000