CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-1296: Nomad Exposes Sensitive Workload Identity and Client Secret Token in Audit Logs

6.5 CVSS

Description

Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. This vulnerability, identified as CVE-2025-1296, is fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise 1.9.7, 1.8.11, and 1.7.19.

Classification

CVE ID: CVE-2025-1296

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Problem Types

CWE-532: Insertion of Sensitive Information into Log File

Affected Products

Vendor: HashiCorp, HashiCorp

Product: Nomad, Nomad Enterprise

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 6.83% (scored less or equal to compared to others)

EPSS Date: 2025-04-08 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-1296
https://discuss.hashicorp.com/t/hcsec-2025-04-nomad-exposes-sensitive-workload-identity-and-client-secret-token-in-audit-logs/73737

Timeline

2025-03-10 19:40:18 UTC
CVE

Nomad Exposes Sensitive Workload Identity and Client Secret Token in Audit Logs