HashiCorp Nomad: path traversal in host volume plugin loader → client-host RCE

Nomad's dynamic host volume feature lets operators create volumes on client nodes via external plugins (small executables in a configured plugin directory). When a volume is created, the server RPC HostVolume.Create forwards a ClientHostVolume.Create RPC to the target client. The client's HostVolumeManager.getPlugin passes the attacker-supplied PluginID directly into NewHostVolumePluginExternal in client/hostvolumemanager/host_volume_plugin.go (around line 229 in v2.0.0). There, the code does:

executable := filepath.Join(pluginDir, filename)
f, err := os.Stat(executable)

If filename (the PluginID) contains path-traversal sequences such as ../../../bin/sh, filepath.Join resolves outside the intended plugin directory. The code then checks whether that arbitrary path exists and is executable; if so, it stores the escaped path in HostVolumePluginExternal.Executable. That executable is later invoked via exec.CommandContext during Fingerprint, Create, and Delete operations, yielding arbitrary code execution as the Nomad client user.

Server-side validation is bypassed when the attacker provides an explicit NodeID in the create request: the server's placeHostVolume shortcut skips the feasibility check that would otherwise verify the plugin exists on the node (via the ${attr.plugins.host_volume.<plugin>.version} node attribute). This means a user with host-volume-create ACL capability in a namespace can target any client node and run any binary on its filesystem.