Lucene search
K
LinuxfoundationNats-server*

14 matches found

CVE
CVE
added 2020/11/06 7:35 a.m.74 views

CVE-2020-26521

CVE-2020-26521 affects NATS server’s JWT handling: the JWT library (used by nats-server) can dereference nil during decoding, causing Denial of Service. Affected: NATS Server versions before 2.1.9. Root cause: nil dereference in Go code when processing User JWTs. Remediation: upgrade the JWT depe...

7.5CVSS7.2AI score0.0209EPSS
CVE
CVE
added 2020/11/06 7:36 a.m.70 views

CVE-2020-26892

Summary : CVE-2020-26892 affects NATS nats-server before 2.1.9 due to incorrect access control from how expired credentials are handled in the JWT library. The vulnerability stems from the JWT package’s credential expiry checks, which could allow bypassing access restrictions. Affected versions i...

9.8CVSS9.3AI score0.02054EPSS
CVE
CVE
added 2019/07/29 4:7 p.m.57 views

CVE-2019-13126

CVE-2019-13126 is an integer overflow in the NATS Server prior to 2.0.2 that allows a remote attacker to crash the server by sending a crafted request; if authentication is enabled, the attacker must have authenticated first. Public notices extend risk to later versions (e.g., GHSA references for...

7.5CVSS7.6AI score0.01739EPSS
CVE
CVE
added 2026/02/24 3:59 p.m.35 views

CVE-2026-27571

NATS-Server WebSockets handling is vulnerable to a pre-auth memory DoS via a compression bomb. Prior to v2.11.2 and v2.12.3, memory bounds for a NATS message were not independently applied to the memory stream, allowing excessive memory consumption and potential OS termination. The issue is explo...

7.5CVSS5.7AI score0.00478EPSS
CVE
CVE
added 2026/03/25 8:10 p.m.26 views

CVE-2026-33222

NATS-Server (JetStream) contains an authorization bypass via the JetStream management API: users with JetStream admin API access to restore one stream could restore to other stream names, risking data overwrite across streams. Affected versions are prior to 2.11.15 and 2.12.6. The fixed releases ...

4.9CVSS5.8AI score0.00306EPSS
CVE
CVE
added 2026/03/25 8:2 p.m.26 views

CVE-2026-33247

CVE-2026-33247 affects the NATS-Server (NATS.io). Prior to versions 2.11.15 and 2.12.6, running nats-server with static credentials provided via argv causes those credentials to be visible to any user who can see the monitoring port; the /debug/vars endpoint exposes an unredacted argv. A fix is a...

7.5CVSS5.8AI score0.00414EPSS
CVE
CVE
added 2026/03/25 8:20 p.m.24 views

CVE-2026-33223

CVE-2026-33223 affects NATS-Server. Prior to versions 2.11.15 and 2.12.6, the Nats-Request-Info header, intended to guarantee identity, could still be stripped incompletely from inbound messages, allowing an attacker with valid credentials to spoof identity to services relying on that header. The...

6.4CVSS5.8AI score0.00211EPSS
CVE
CVE
added 2026/03/25 7:43 p.m.22 views

CVE-2026-33217

CVE-2026-33217 affects NATS-Server prior to versions 2.11.15 and 2.12.6, where ACLs on message subjects were not applied in the $MQTT.> namespace, letting MQTT clients bypass ACL checks for MQTT subjects. Root cause: ACLs not enforced in that namespace. Impact: potential unauthorized access/by...

8.1CVSS5.8AI score0.00259EPSS
CVE
CVE
added 2026/03/25 7:53 p.m.21 views

CVE-2026-33218

CVE-2026-33218 affects NATS-Server. Prior to versions 2.11.15 and 2.12.6, a client able to reach the leafnode port can crash the server with a specially malformed message before authentication. Versions 2.11.15 and 2.12.6 include a fix. Affected product: NATS-Server (leafnode handling). Root caus...

7.5CVSS5.8AI score0.00616EPSS
CVE
CVE
added 2026/03/25 7:55 p.m.20 views

CVE-2026-33219

CVE-2026-33219 affects NATS-Server (NATS.io) before versions 2.11.15 and 2.12.6. A malicious client connecting to the WebSockets port can trigger unbounded memory growth in nats-server prior to authentication by sending a large amount of data. This is a milder variant of CVE-2026-27571 and requir...

7.5CVSS5.8AI score0.00532EPSS
CVE
CVE
added 2026/03/25 7:38 p.m.14 views

CVE-2026-29785

CVE-2026-29785 affects the NATS-Server (NATS.io) prior to versions 2.11.14 and 2.12.5. When leafnode is enabled (not default) and compression is enabled (default with leafnodes), an unauthenticated attacker who can connect can crash the server by triggering a panic. The condition is pre-authentic...

7.5CVSS5.8AI score0.00658EPSS
CVE
CVE
added 2026/03/25 7:41 p.m.14 views

CVE-2026-33216

Impactful CVE-2026-33216 (NATS-Server) : In MQTT deployments using usercodes/passwords, passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed through monitoring endpoints. Affected versions are prior to 2.11.15 and 2.12.6; fixes are in 2.11.14 and 2.12....

8.6CVSS5.8AI score0.00365EPSS
CVE
CVE
added 2026/03/25 7:50 p.m.14 views

CVE-2026-33246

CVE-2026-33246 affects the NATS-Server (NATS.io). The issue is that the Nats-Request-Info: header used for identity could be spoofed when a leafnode connects to a nats-server, potentially enabling identity claims to be misrepresented. The root cause is header spoofing in leafnode connections; the...

6.4CVSS5.8AI score0.00143EPSS
CVE
CVE
added 2026/03/25 8:18 p.m.11 views

CVE-2026-33248

NATS-Server has an authentication bypass vulnerability in mTLS verify_and_map where certain RDN patterns in the client certificate Subject DN were not correctly enforced. A valid certificate from a trusted CA could bypass identity checks on versions prior to 2.11.15 and 2.12.6. The issue is consi...

4.2CVSS5.8AI score0.00143EPSS