cbcvebase.
CVE-2025-30215
published 2025-04-16

CVE-2025-30215: NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and…

PriorityP262critical9.6CVSS 3.1
AVNACLPRLUINSCCNIHAH
EPSS
0.53%
40.6th percentile
NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject namespace in the system account; this is partially exposed into regular accounts to allow account holders to manage their assets. Some of the JS API requests were missing access controls, allowing any user with JS management permissions in any account to perform certain administrative actions on any JS asset in any other account. At least one of the unprotected APIs allows for data destruction. None of the affected APIs allow disclosing stream contents. This vulnerability is fixed in v2.11.1 or v2.10.27.

Affected

12 ranges
VendorProductVersion rangeFixed in
debiannats-server< nats-server 2.10.27-1 (forky)nats-server 2.10.27-1 (forky)
github.comnats-io_nats-server_v2>= 2.11.0 < 2.11.12.11.1
github.comnats-io_nats-server_v2>= 2.11.0-RC.1 < 2.11.12.11.1
github.comnats-io_nats-server_v2>= 2.2.0 < 2.10.272.10.27
linuxfoundationnats-server>= 0 < 2.10.27-12.10.27-1
linuxfoundationnats-server>= 0 < 2.10.27-12.10.27-1
msrcazl3_telegraf_1.31.0-10_on_azure_linux_3.0
msrcazl3_telegraf_1.31.0-9_on_azure_linux_3.0
msrccbl2_telegraf_1.29.4-15_on_cbl_mariner_2.0
msrccbl2_telegraf_1.29.4-16_on_cbl_mariner_2.0
nats-ionats-server
nats-ionats-server

Detection & IOCsextracted from sources · hover to see the quote

other$JS.
  • Monitor for unauthorized cross-account JetStream API calls — any user with JS management permissions in one account sending $JS. subject namespace messages targeting assets in a different account should be flagged as anomalous.
  • Alert on JetStream admin API calls that result in data deletion originating from non-owner accounts, as at least one unprotected API enables data destruction.
  • Flag NATS-Server instances running versions 2.2.0 through 2.10.26 or 2.11.0 as vulnerable; patch to v2.10.27 or v2.11.1.
  • ·The vulnerability is scoped to deployments where JetStream is enabled and multiple accounts are configured; single-account or non-JetStream deployments have a reduced attack surface.
  • ·Stream contents are not exposed by any of the affected APIs; the risk is limited to unauthorized administrative actions (including data destruction), not data exfiltration.
  • ·Red Hat Trusted Profile Analyzer (guac container) is confirmed not affected because NATS is not installed with that product.

CVSS provenance

nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
osv9.6CRITICAL
vendor_debian9.6CRITICAL
vendor_msrc9.6CRITICAL
vendor_redhat9.6CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.