Is github.com/hashicorp/nomad affected by CVE-2024-6717?

Go github.com/hashicorp/nomad is affected in <1.11.1.

Is CVE-2024-6717 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.4%.

medium

CVE-2024-6717

Q: Is CVE-2024-6717 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.4%.

Go · github.com/hashicorp/nomad

Summary

HashiCorp Nomad is vulnerable to path escape through archive unpacking during migration in github.com/hashicorp/nomad

Severity: medium
EPSS: 0.4% (p30)
Also known as: GHSA-5mqx-rpxv-mvxj, GO-2026-4278
Published: 2026-01-12

References

https://github.com/advisories/GHSA-5mqx-rpxv-mvxj
https://nvd.nist.gov/vuln/detail/CVE-2024-6717
https://github.com/hashicorp/nomad/pull/27068/commits/d0f4f27dd03e7f9843d7b921ca9f33c257efdfd1

Related advisories

CVE-2026-7474 — high · Go/github.com/hashicorp/nomad
CVE-2026-6959 — medium · Go/github.com/hashicorp/nomad

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.