Github.Com Nats-Io Nats-Server V2 vulnerabilities
27 known vulnerabilities affecting github.com/nats-io_nats-server_v2.
Total CVEs
27
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH15MEDIUM8LOW1UNKNOWN1
Vulnerabilities
Page 1 of 2
CVE-2025-30215P2CRITICAL≥ 2.11.0-RC.1, < 2.11.1≥ 2.2.0, < 2.10.272025-04-15
CVE-2025-30215 [CRITICAL] CWE-285 NATS Server may fail to authorize certain Jetstream admin APIs
NATS Server may fail to authorize certain Jetstream admin APIs
## Advisory
The management of JetStream assets happens with messages in the `$JS.` subject namespace in the system account; this is partially exposed into regular accounts to allow account holders to manage their assets.
Some of the JS API requests were missing access controls, allowing any user with JS management permissions in any ac
ghsaosv
CVE-2020-26892P3CRITICALCVSS 9.8≥ 0, < 2.1.92021-05-21
CVE-2020-26892 [CRITICAL] CWE-284 Incorrect handling of credential expiry by /nats-io/nats-server
Incorrect handling of credential expiry by /nats-io/nats-server
(This advisory is canonically https://advisories.nats.io/CVE/CVE-2020-26892.txt )
## Problem Description
NATS nats-server through 2020-10-07 has Incorrect Access Control because of how expired credentials are handled.
The NATS accounts system has expiration timestamps on credentials; the library had an API which encouraged misuse an
ghsaosv
CVE-2022-24450P3HIGHCVSS 8.8≥ 2.0.0, < 2.7.22022-02-08
CVE-2022-24450 [HIGH] CWE-863 Incorrect Authorization in NATS nats-server
Incorrect Authorization in NATS nats-server
(This advisory is canonically )
## Problem Description
NATS nats-server through 2022-02-04 has Incorrect Access Control, with unchecked ability for clients to authorize into any account, because of a coding error in a long-extant experimental feature.
A client crafting the initial protocol-level handshake could, with valid credentials for any account, specify a target account
ghsaosv
CVE-2022-28357P3UNKNOWN≥ 2.2.0, < 2.7.42024-08-21
CVE-2022-28357 NATS nats-server allows directory traversal via unintended path to a management action in github.com/nats-io/nats-server
NATS nats-server allows directory traversal via unintended path to a management action in github.com/nats-io/nats-server
NATS nats-server allows directory traversal via unintended path to a management action in github.com/nats-io/nats-server
osv
CVE-2026-33218P3HIGHCVSS 7.5≥ 0, < 2.11.15≥ 2.12.0-RC.1, < 2.12.62026-03-24
CVE-2026-33218 [HIGH] CWE-20 NATS has pre-auth server panic via leafnode handling
NATS has pre-auth server panic via leafnode handling
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers.
### Problem Description
A client which can connect to the leafnode port can crash the nats-server with
ghsaosv
CVE-2026-27889P3HIGH≥ 2.2.0, < 2.11.14≥ 2.12.0, < 2.12.52026-03-25
CVE-2026-27889 [HIGH] CWE-190 NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead
NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
When using WebSockets, a malicious client can trigger a server crash with crafted frames, before authentication.
### Problem Description
A mi
ghsaosv
CVE-2023-47090P3HIGH≥ 2.2.0, < 2.9.23≥ 2.10.0, < 2.10.22023-10-19
CVE-2023-47090 [HIGH] CWE-305 NATS.io: Adding accounts for just the system account adds auth bypass
NATS.io: Adding accounts for just the system account adds auth bypass
## Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
NATS users exist within accounts, and once using accounts, the old authorization block is not applicable.
## Problem Description
Without any authorization rules in
ghsaosv
CVE-2026-33216P3HIGH≥ 0, < 2.11.15≥ 2.12.0-RC.1, < 2.12.62026-03-24
CVE-2026-33216 [HIGH] CWE-256 NATS has MQTT plaintext password disclosure
NATS has MQTT plaintext password disclosure
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an MQTT client interface.
### Problem Description
For MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) an
ghsaosv
CVE-2026-29785P3HIGH≥ 0, < 2.11.14≥ 2.12.0-RC.1, < 2.12.52026-03-24
CVE-2026-29785 [HIGH] CWE-476 NATS Server panic via malicious compression on leafnode port
NATS Server panic via malicious compression on leafnode port
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
When configured to accept leafnode connections (for a hub/spoke topology of multiple nats-servers), then the default configuration allows for negotiating compression; a malicious remot
ghsaosv
CVE-2026-27571P3MEDIUM≥ 0, < 2.11.12≥ 2.12.0-RC.1, < 2.12.32026-02-24
CVE-2026-27571 [MEDIUM] CWE-409 nats-server websockets are vulnerable to pre-auth memory DoS
nats-server websockets are vulnerable to pre-auth memory DoS
### Impact
The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. The implementation bound the memory size of a NATS message but did not independently bound the memory consumption of the memory stream when constructing a NATS message which might then fail validation for size reasons.
A
ghsaosv
CVE-2023-46129P3HIGH≥ 2.10.0, < 2.10.42023-10-31
CVE-2023-46129 [HIGH] CWE-321 xkeys seal encryption used fixed key for all encryption
xkeys seal encryption used fixed key for all encryption
## Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authenticatio
ghsaosv
CVE-2021-3127P3HIGHCVSS 7.5≥ 0, < 2.2.02021-05-21
CVE-2021-3127 [HIGH] github.com/nats-io/nats-server Import token permissions checking not enforced
github.com/nats-io/nats-server Import token permissions checking not enforced
(This advisory is canonically )
## Problem Description
The NATS server provides for Subjects which are namespaced by Account; all Subjects are supposed to be private to an account, with an Export/Import system used to grant cross-account access to some Subjects. Some Exports are public, such that anyone can import the
osv
CVE-2022-26652P3MEDIUMCVSS 6.5≥ 2.2.0, < 2.7.42022-03-10
CVE-2022-26652 [MEDIUM] CWE-22 Arbitrary file write in nats-server
Arbitrary file write in nats-server
(This document is canonically: )
## Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
JetStream is the optional RAFT-based resilient persistent feature of NATS.
## Problem Description
The JetStream streams can be backed up and restored via NATS. The backup format is a tar archive fi
ghsaosv
CVE-2020-28466P3HIGH≥ 0, < 2.2.02022-02-15
CVE-2020-28466 [HIGH] CWE-400 Denial of service in github.com/nats-io/nats-server/server
Denial of service in github.com/nats-io/nats-server/server
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers - Running a NATS service which is exposed to untrusted users presents a heightened risk. Any remote execution flaw or equivalent serio
ghsaosv
CVE-2019-13126P3HIGH≥ 0, < 2.2.02021-05-18
CVE-2019-13126 [HIGH] CWE-190 Integer Overflow or Wraparound in NATS Server
Integer Overflow or Wraparound in NATS Server
An integer overflow in NATS Server before 2.2.0 allows a remote attacker to crash the server by sending a crafted request.
### Specific Go Packages Affected
github.com/nats-io/nats-server/v2/server
ghsaosv
CVE-2026-33215P3MEDIUMCVSS 6.5≥ 0, < 2.11.15≥ 2.12.0-RC.1, < 2.12.62026-03-24
CVE-2026-33215 [MEDIUM] CWE-287 NATS is vulnerable to MQTT hijacking via Client ID
NATS is vulnerable to MQTT hijacking via Client ID
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an MQTT client interface.
### Problem Description
Sessions and Messages can by hijacked via MQTT Client ID malfeasance.
### Affected Versions
Any version before v2.12.6 or v
ghsaosv
CVE-2022-29946P3HIGH≥ 0, < 2.8.22024-07-11
CVE-2022-29946 [HIGH] CWE-863 NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects
NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects
NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attack
ghsaosv
CVE-2026-33217P3HIGH≥ 0, < 2.11.15≥ 2.12.0-RC.1, < 2.12.62026-03-24
CVE-2026-33217 [HIGH] CWE-863 NATS allows MQTT clients to bypass ACL checks
NATS allows MQTT clients to bypass ACL checks
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an MQTT client interface.
### Problem Description
When using ACLs on message subjects, these ACLs were not applied in the `$MQTT.>` namespace, allowing MQTT clients to bypass ACL checks f
ghsaosv
CVE-2020-26521P3HIGHCVSS 7.5≥ 0, < 2.1.92021-05-21
CVE-2020-26521 [HIGH] Nil dereference in NATS JWT causing DoS of nats-server
Nil dereference in NATS JWT causing DoS of nats-server
(This advisory is canonically )
## Problem Description
The NATS account system has an Operator trusted by the servers, which signs Accounts, and each Account can then create and sign Users within their account. The Operator should be able to safely issue Accounts to other entities which it does not fully trust.
A malicious Account could create and sign a User JW
osv
CVE-2026-33219P4HIGHCVSS 7.5≥ 0, < 2.11.15≥ 2.12.0-RC.1, < 2.12.62026-03-24
CVE-2026-33219 [HIGH] CWE-770 NATS is vulnerable to pre-auth DoS through WebSockets client service
NATS is vulnerable to pre-auth DoS through WebSockets client service
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server offers a WebSockets client service, used in deployments where browsers are the NATS clients.
### Problem Description
A malicious client which can con
ghsaosv
1 / 2Next →