Nomad Vulnerable to Allocation Directory Escape On Non-Existing File Paths Through Archive Unpacking
Description
In HashiCorp Nomad and Nomad Enterprise from 0.6.1 up to 1.6.13, 1.7.10, and 1.8.2, the archive unpacking process is vulnerable to writes outside the allocation directory during migration of allocation directories when multiple archive headers target the same file. This vulnerability, CVE-2024-7625, is fixed in Nomad 1.6.14, 1.7.11, and 1.8.3. Access or compromise of the Nomad client agent at the source allocation first is a prerequisite for leveraging this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HashiCorp Nomad 0.6.1-1.6.13, 1.7.10, 1.8.2 allows allocation directory escape via crafted archive during migration.
Root
Cause CVE-2024-7625 is a vulnerability in HashiCorp Nomad and Nomad Enterprise where the archive unpacking process fails to properly handle multiple archive headers targeting the same file during migration of allocation directories [1]. This allows writes outside the intended allocation directory when streaming allocation directories do not remove existing files in paths within the same allocation directory before unpacking [2].
Exploitation
An attacker must first gain access to or compromise the Nomad client agent at the source allocation [1]. With this prerequisite, the attacker can craft a malicious archive that, when unpacked during allocation migration, writes files to paths outside the allocation directory [2]. The vulnerability affects Nomad versions from 0.6.1 up to 1.6.13, 1.7.10, and 1.8.2 [1].
Impact
Successful exploitation allows an attacker with control over the source allocation to write files outside the allocation directory on the target client, potentially leading to arbitrary file write or escape from the allocation sandbox [2]. The exact impact depends on the permissions of the Nomad client process.
Mitigation
HashiCorp has fixed this vulnerability in Nomad 1.6.14, 1.7.11, and 1.8.3 [1][2]. Users are advised to upgrade to these versions or later. No workarounds are mentioned.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/nomadGo | >= 0.6.1, < 1.6.14 | 1.6.14 |
github.com/hashicorp/nomadGo | >= 1.7.0, < 1.7.11 | 1.7.11 |
github.com/hashicorp/nomadGo | >= 1.8.0, < 1.8.3 | 1.8.3 |
Affected products
3- HashiCorp/Nomadv5Range: 0.6.1
- HashiCorp/Nomad Enterprisev5Range: 0.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.