Moderate severityNVD Advisory· Published Mar 10, 2025· Updated Mar 11, 2025
Nomad Exposes Sensitive Workload Identity and Client Secret Token in Audit Logs
CVE-2025-1296
Description
Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. This vulnerability, identified as CVE-2025-1296, is fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise 1.9.7, 1.8.11, and 1.7.19.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/nomadGo | <= 1.9.6 | — |
Affected products
4- ghsa-coords2 versionspkg:golang/github.com/hashicorp/nomadpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
<= 1.9.6+ 1 more
- (no CPE)range: <= 1.9.6
- (no CPE)range: < 0.0.20250313T170021-1.1
- Range: 1.0.0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-c3q9-q986-vrwhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-1296ghsaADVISORY
- discuss.hashicorp.com/t/hcsec-2025-04-nomad-exposes-sensitive-workload-identity-and-client-secret-token-in-audit-logs/73737ghsaWEB
- github.com/hashicorp/nomad/commit/dc482bf9058faf7a192486eb52caa1d42646f6b3ghsaWEB
- pkg.go.dev/vuln/GO-2025-3510ghsaWEB
News mentions
0No linked articles in our index yet.