In HashiCorp Nomad and Nomad Enterprise from 0.6.1 up to 1.6.13, 1.7.10, and 1.8.2, the archive unpacking process is vulnerable to writes outside the allocation directory during migration of allocation directories when multiple archive headers target the same file. This vulnerability, CVE-2024-7625, is fixed in Nomad 1.6.14, 1.7.11, and 1.8.3. Access or compromise of the Nomad client agent at the source allocation first is a prerequisite for leveraging this vulnerability.

Affected Packages

Go github.com/hashicorp/nomad

Affected versions: 0.6.1 (fixed in 1.6.14)

Go github.com/hashicorp/nomad

Affected versions: 1.7.0 (fixed in 1.7.11)

Go github.com/hashicorp/nomad

Affected versions: 1.8.0 (fixed in 1.8.3)

Related CVEs

CVE-2024-7625

Key Information

GHSA ID

GHSA-25qx-vfw2-fw8r

Published

August 15, 2024 12:30 AM

Last Modified

September 25, 2024 7:27 PM

CVSS Score

5.0 /10

Primary Ecosystem

Primary Package

github.com/hashicorp/nomad

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 6, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.