HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. Fixed in Nomad 1.7.4, 1.6.7, 1.5.14.

Affected Packages

Go github.com/hashicorp/nomad

Affected versions: 1.5.13 (fixed in 1.5.14)

Go github.com/hashicorp/nomad

Affected versions: 1.6.0 (fixed in 1.6.7)

Go github.com/hashicorp/nomad

Affected versions: 1.7.3 (fixed in 1.7.4)

Related CVEs

CVE-2024-1329

Key Information

GHSA ID

GHSA-c866-8gpw-p3mv

Published

February 8, 2024 9:30 PM

Last Modified

September 26, 2024 9:10 PM

CVSS Score

7.5 /10

Primary Ecosystem

Primary Package

github.com/hashicorp/nomad

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 25, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.