NATS Advisories
Security advisories for the NATS.io project
To report a vulnerability, please send email to security@nats.io.
NATS Advisories
- Security Note 2023-02 (aka CVE-2023-46129)
- nkeys: xkeys Seal encryption used fixed key for all encryption
CVE-2023-46129;GHSA-mr45-rx8q-wcm9- 2023-10-26
- Security Note 2023-01
- Adding accounts for just the system account adds auth bypass
CVE-2023-47090;GHSA-fr2g-9hjm-wr23;GO-2023-2133- 2023-10-12
- CVE-2022-42708
- Server panic from inappropriate JetStream replica count
- 2022-10-10
- CVE-2022-42709
- Server panic from Account import loops, similar to CVE-2020-28466
- 2022-10-10
- CVE-2022-29946
- Negative user permissions not enforced in one scenario
- 2022-05-04
- CVE-2022-28357
- Arbitrary file write from the privileged system account
- 2022-04-18
- CVE-2022-26652
- Arbitrary file write by JetStream-enabled users
- 2022-03-09
- CVE-2022-24450
- Unconstrained account assumption by authenticated clients (CRITICAL)
- 2022-02-07
- CVE-2021-32026
- TLS missing ciphersuite settings when CLI flags used (v.low severity)
- 2021-05-04
- CVE-2021-3127
- Import token permissions checking not enforced
- 2021-03-15
- CVE-2020-28466
- Account service import loop caused nats-server DoS
- NATS server upgrade required to avoid Denial-of-Service
- 2021-03-15
- See also: CVE-2022-42709
- CVE-2020-26521
- Nil deref in JWT library, causing Go panic
- NATS server upgrade required to avoid Denial-of-Service
- 2020-11-02
- CVE-2020-26892
- Incorrect credential expiration handling via JWT library
- API fixes needed by library users
- NATS server upgrade required for expiration to work
- 2020-11-02
- CVE-2020-26149
- Information disclosure in JS client libraries
- MITRE
- 2020-09-29
Exposure Statements
- log4j CVE-2021-44228
- aka Log4Shell, aka LogJam
- Statement for security teams about the exposure of the NATS ecosystem