CVE-2025-30215
published 2025-04-16CVE-2025-30215: NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and…
PriorityP262critical9.6CVSS 3.1
AVNACLPRLUINSCCNIHAH
EPSS
0.53%
40.6th percentile
NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject namespace in the system account; this is partially exposed into regular accounts to allow account holders to manage their assets. Some of the JS API requests were missing access controls, allowing any user with JS management permissions in any account to perform certain administrative actions on any JS asset in any other account. At least one of the unprotected APIs allows for data destruction. None of the affected APIs allow disclosing stream contents. This vulnerability is fixed in v2.11.1 or v2.10.27.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nats-server | < nats-server 2.10.27-1 (forky) | nats-server 2.10.27-1 (forky) |
| github.com | nats-io_nats-server_v2 | >= 2.11.0 < 2.11.1 | 2.11.1 |
| github.com | nats-io_nats-server_v2 | >= 2.11.0-RC.1 < 2.11.1 | 2.11.1 |
| github.com | nats-io_nats-server_v2 | >= 2.2.0 < 2.10.27 | 2.10.27 |
| linuxfoundation | nats-server | >= 0 < 2.10.27-1 | 2.10.27-1 |
| linuxfoundation | nats-server | >= 0 < 2.10.27-1 | 2.10.27-1 |
| msrc | azl3_telegraf_1.31.0-10_on_azure_linux_3.0 | — | — |
| msrc | azl3_telegraf_1.31.0-9_on_azure_linux_3.0 | — | — |
| msrc | cbl2_telegraf_1.29.4-15_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_telegraf_1.29.4-16_on_cbl_mariner_2.0 | — | — |
| nats-io | nats-server | — | — |
| nats-io | nats-server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
other$JS.
- →Monitor for unauthorized cross-account JetStream API calls — any user with JS management permissions in one account sending $JS. subject namespace messages targeting assets in a different account should be flagged as anomalous. ↗
- →Alert on JetStream admin API calls that result in data deletion originating from non-owner accounts, as at least one unprotected API enables data destruction. ↗
- →Flag NATS-Server instances running versions 2.2.0 through 2.10.26 or 2.11.0 as vulnerable; patch to v2.10.27 or v2.11.1. ↗
- ·The vulnerability is scoped to deployments where JetStream is enabled and multiple accounts are configured; single-account or non-JetStream deployments have a reduced attack surface. ↗
- ·Stream contents are not exposed by any of the affected APIs; the risk is limited to unauthorized administrative actions (including data destruction), not data exfiltration. ↗
- ·Red Hat Trusted Profile Analyzer (guac container) is confirmed not affected because NATS is not installed with that product. ↗
CVSS provenance
nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
osv9.6CRITICAL
vendor_debian9.6CRITICAL
vendor_msrc9.6CRITICAL
vendor_redhat9.6CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Missing ACLs on JavaScript APIs allowing privilege escalation github.com/nats-io/nats-server
osv·2025-04-22
CVE-2025-30215 Missing ACLs on JavaScript APIs allowing privilege escalation github.com/nats-io/nats-server
Missing ACLs on JavaScript APIs allowing privilege escalation github.com/nats-io/nats-server
Missing
OSV
CVE-2025-30215: NATS-Server is a High-Performance server for NATS
osv·2025-04-16·CVSS 9.6
CVE-2025-30215 [CRITICAL] CVE-2025-30215: NATS-Server is a High-Performance server for NATS
NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject namespace in the system account; this is partially exposed into regular accounts to allow account holders to manage their assets. Some of the JS API requests were missing access controls, allowing any user with JS management permissions in any account to perform certain administrative actions on any JS asset in any other account. At least one of the unprotected APIs allows for data destruction. None of the affected APIs allow disclosing stream contents. This vulnerability is fixed in v2.11.1 or v2.10.27.
GHSA
NATS Server may fail to authorize certain Jetstream admin APIs
ghsa·2025-04-15
CVE-2025-30215 [CRITICAL] CWE-285 NATS Server may fail to authorize certain Jetstream admin APIs
NATS Server may fail to authorize certain Jetstream admin APIs
## Advisory
The management of JetStream assets happens with messages in the `$JS.` subject namespace in the system account; this is partially exposed into regular accounts to allow account holders to manage their assets.
Some of the JS API requests were missing access controls, allowing any user with JS management permissions in any account to perform certain administrative actions on any JS asset in any other account. At least one of the unprotected APIs allows for data destruction. None of the affected APIs allow disclosing stream contents.
### Affected versions
NATS Server:
* Version 2 from v2.2.0 onwards, prior to v2.11.1 or v2.10.27
## Original Report
(Lightly edited to confirm some supposition and in the summary t
OSV
NATS Server may fail to authorize certain Jetstream admin APIs
osv·2025-04-15
CVE-2025-30215 [CRITICAL] NATS Server may fail to authorize certain Jetstream admin APIs
NATS Server may fail to authorize certain Jetstream admin APIs
## Advisory
The management of JetStream assets happens with messages in the `$JS.` subject namespace in the system account; this is partially exposed into regular accounts to allow account holders to manage their assets.
Some of the JS API requests were missing access controls, allowing any user with JS management permissions in any account to perform certain administrative actions on any JS asset in any other account. At least one of the unprotected APIs allows for data destruction. None of the affected APIs allow disclosing stream contents.
### Affected versions
NATS Server:
* Version 2 from v2.2.0 onwards, prior to v2.11.1 or v2.10.27
## Original Report
(Lightly edited to confirm some supposition and in the summary t
Red Hat
nats-server: NATS-Server Fails to Authorize Certain Jetstream Admin APIs
vendor_redhat·2025-04-15·CVSS 9.6
CVE-2025-30215 [CRITICAL] CWE-287 nats-server: NATS-Server Fails to Authorize Certain Jetstream Admin APIs
nats-server: NATS-Server Fails to Authorize Certain Jetstream Admin APIs
NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject namespace in the system account; this is partially exposed into regular accounts to allow account holders to manage their assets. Some of the JS API requests were missing access controls, allowing any user with JS management permissions in any account to perform certain administrative actions on any JS asset in any other account. At least one of the unprotected APIs allows for data destruction. None of the affected APIs allow disclosing stream contents. This vulnerability is fixed
Microsoft
NATS-Server Fails to Authorize Certain Jetstream Admin APIs
vendor_msrc·2025-04-08·CVSS 9.6
CVE-2025-30215 [CRITICAL] CWE-306 NATS-Server Fails to Authorize Certain Jetstream Admin APIs
NATS-Server Fails to Authorize Certain Jetstream Admin APIs
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: htt
Debian
CVE-2025-30215: nats-server - NATS-Server is a High-Performance server for NATS.io, the cloud and edge native ...
vendor_debian·2025·CVSS 9.6
CVE-2025-30215 [CRITICAL] CVE-2025-30215: nats-server - NATS-Server is a High-Performance server for NATS.io, the cloud and edge native ...
NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject namespace in the system account; this is partially exposed into regular accounts to allow account holders to manage their assets. Some of the JS API requests were missing access controls, allowing any user with JS management permissions in any account to perform certain administrative actions on any JS asset in any other account. At least one of the unprotected APIs allows for data destruction. None of the affected APIs allow disclosing stream contents. This vulnerability is fixed in v2.11.1 or v2.10.27.
Scope: local
bookworm: open
forky: resolved (fixed
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-30215 nats-server: NATS-Server Fails to Authorize Certain Jetstream Admin APIs [fedora-42]
bugzilla·2025-04-16·CVSS 9.6
CVE-2025-30215 [CRITICAL] CVE-2025-30215 nats-server: NATS-Server Fails to Authorize Certain Jetstream Admin APIs [fedora-42]
CVE-2025-30215 nats-server: NATS-Server Fails to Authorize Certain Jetstream Admin APIs [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2360022
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version
Bugzilla
CVE-2025-30215 golang-github-nats-io-streaming-server: NATS-Server Fails to Authorize Certain Jetstream Admin APIs [fedora-42]
bugzilla·2025-04-16·CVSS 9.6
CVE-2025-30215 [CRITICAL] CVE-2025-30215 golang-github-nats-io-streaming-server: NATS-Server Fails to Authorize Certain Jetstream Admin APIs [fedora-42]
CVE-2025-30215 golang-github-nats-io-streaming-server: NATS-Server Fails to Authorize Certain Jetstream Admin APIs [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2360022
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it r
2025-04-16
Published