{"id":"GO-2026-4278","summary":"HashiCorp Nomad is vulnerable to path escape through archive unpacking during migration in github.com/hashicorp/nomad","details":"HashiCorp Nomad is vulnerable to path escape through archive unpacking during migration in github.com/hashicorp/nomad","aliases":["CVE-2024-6717","GHSA-5mqx-rpxv-mvxj"],"modified":"2026-03-03T04:57:49.059514Z","published":"2026-01-12T17:39:39Z","database_specific":{"review_status":"UNREVIEWED","url":"https://pkg.go.dev/vuln/GO-2026-4278"},"references":[{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-5mqx-rpxv-mvxj"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-6717"},{"type":"FIX","url":"https://github.com/hashicorp/nomad/pull/27068/commits/d0f4f27dd03e7f9843d7b921ca9f33c257efdfd1"},{"type":"WEB","url":"https://discuss.hashicorp.com/t/hcsec-2024-15-nomad-vulnerable-to-allocation-directory-path-escape-through-archive-unpacking/68781"},{"type":"WEB","url":"https://github.com/hashicorp/nomad/releases/tag/v1.11.1"}],"affected":[{"package":{"name":"github.com/hashicorp/nomad","ecosystem":"Go","purl":"pkg:golang/github.com/hashicorp/nomad"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.11.1"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4278.json"}}],"schema_version":"1.7.3"}