CVE-2025-30215Improper Authentication in Nats-io Nats-server V2

CWE-287Improper AuthenticationCWE-306Missing Authentication for Critical FunctionCWE-285Improper Authorization8 documents6 sources
Severity
9.6CRITICALNVD
EPSS
0.1%
top 79.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
8
Linuxfoundation Nats-serverGithub.com Nats-io Nats-server V2Debian Nats-server+5 more
Timeline
PublishedApr 16
Latest updateApr 22

Description

NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject namespace in the system account; this is partially exposed into regular accounts to allow account holders to manage their assets. Some of the JS API requests were missing access controls, allowing any user with JS management permissions in any account to perfo

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:HExploitability: 3.1 | Impact: 5.8

Affected Packages8 packages

debiandebian/nats-server< nats-server 2.10.27-1 (forky)
Gogithub.com/nats-io_nats-server_v22.11.0-RC.12.11.1+2
Debianlinuxfoundation/nats-server< 2.10.27-1+1
CVEListV5nats-io/nats-server>= 2.11.0-RC.1, < 2.11.1, >= 2.2.0, < 2.10.27+1

🔴Vulnerability Details

4
OSV
Missing ACLs on JavaScript APIs allowing privilege escalation github.com/nats-io/nats-server2025-04-22
OSV
CVE-2025-30215: NATS-Server is a High-Performance server for NATS2025-04-16
GHSA
NATS Server may fail to authorize certain Jetstream admin APIs2025-04-15
OSV
NATS Server may fail to authorize certain Jetstream admin APIs2025-04-15

📋Vendor Advisories

3
Red Hat
nats-server: NATS-Server Fails to Authorize Certain Jetstream Admin APIs2025-04-15
Microsoft
NATS-Server Fails to Authorize Certain Jetstream Admin APIs2025-04-08
Debian
CVE-2025-30215: nats-server - NATS-Server is a High-Performance server for NATS.io, the cloud and edge native ...2025