Denial of Service (DoS)
Description
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened risk. Any remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers. Fixes for denial of service issues with no threat of remote execution, when limited to account holders, are likely to just be committed to the main development branch with no special attention. Those who are running such services are encouraged to build regularly from git.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Service export/import cycles between accounts in NATS server allow unauthenticated users to crash the server via crafted account JWTs.
Vulnerability
CVE-2020-28466 is a denial-of-service vulnerability in NATS server caused by cyclic service export/import configurations between accounts. The server fails to detect cycles when processing account JWTs, leading to a crash [1][2].
Exploitation
An attacker who controls an account JWT can define a service export that imports from another account, which in turn imports back, creating a loop. This can be triggered without authentication if the server permits untrusted accounts [3][4].
Impact
Successful exploitation results in a server crash, denying service to all connected clients. The vulnerability is classified as a denial-of-service with no remote code execution risk [1][3].
Mitigation
The issue is fixed in NATS server version 2.2.0. The fix was committed to the main development branch earlier but only released with 2.2.0. Maintainers recommend building regularly from git for those running services exposed to untrusted users [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/nats-io/nats-serverGo | < 2.2.0 | 2.2.0 |
github.com/nats-io/nats-server/v2Go | < 2.2.0 | 2.2.0 |
Affected products
8- Range: v2.0.0, v2.0.2, v2.0.4, …
- osv-coords7 versionspkg:apk/chainguard/nats-serverpkg:apk/chainguard/nats-server-compatpkg:apk/wolfi/nats-serverpkg:apk/wolfi/nats-server-compatpkg:bitnami/natspkg:golang/github.com/nats-io/nats-serverpkg:golang/github.com/nats-io/nats-server/v2
< 0+ 6 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 2.0.0, < 2.2.0
- (no CPE)range: < 2.2.0
- (no CPE)range: < 2.2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-m4jx-6526-vvhmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28466ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/03/16/1ghsamailing-listx_refsource_MLISTWEB
- www.openwall.com/lists/oss-security/2021/03/16/2ghsamailing-listx_refsource_MLISTWEB
- github.com/nats-io/nats-server/pull/1731ghsax_refsource_MISCWEB
- github.com/nats-io/nats-server/pull/1731/commits/2e3c22672936f4980d343fb1d328b38919e74796ghsaWEB
- pkg.go.dev/vuln/GO-2022-0855ghsaWEB
- snyk.io/vuln/SNYK-GOLANG-GITHUBCOMNATSIONATSSERVERSERVER-1042967ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.