CVE-2022-26652
Description
NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NATS nats-server 2.2.0–2.7.3 and nats-streaming-server 0.15.0–0.24.2 allow directory traversal via a Zip Slip attack during JetStream stream restore, enabling arbitrary file write.
Vulnerability
NATS nats-server before version 2.7.4 and nats-streaming-server before version 0.24.3 contain a directory traversal vulnerability in the JetStream stream restore functionality. The backup and restore mechanism for JetStream streams uses a tar archive, and inadequate validation of filenames within the archive allows a Zip Slip attack [1][2][3][4]. Affected versions are nats-server 2.2.0 through 2.7.3 and nats-streaming-server 0.15.0 through 0.24.2 [3][4].
Exploitation
An attacker must have a NATS account with permission to use JetStream and the ability to initiate a stream restore operation [4]. The attacker crafts a malicious tar archive containing filenames with directory traversal sequences (e.g., ../). When the server processes the archive during restore, it writes files to locations outside the intended JetStream storage directory, subject to the server process's filesystem permissions [3][4]. No additional authentication or user interaction beyond standard JetStream API access is required.
Impact
Successful exploitation allows an attacker to write arbitrary content to arbitrary files on the server filesystem, controlled by the archive's filenames. This can lead to arbitrary code execution if the attacker overwrites critical configuration or executable files, or cause denial of service by corrupting system files [3][4]. The server runs with the privileges of the nats-server process; in typical deployments this may be a limited user, but a compromise of the server host is possible.
Mitigation
Fixed versions are nats-server 2.7.4 and nats-streaming-server 0.24.3, released March 9, 2022 [1][3][4]. Users should upgrade immediately. Workarounds include disabling JetStream for untrusted users, sandboxing the server process (e.g., with systemd's ProtectSystem=strict), or restricting JetStream API access to a single trusted account [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/nats-io/nats-server/v2Go | >= 2.2.0, < 2.7.4 | 2.7.4 |
github.com/nats-io/nats-streaming-serverGo | >= 0.15.0, < 0.24.3 | 0.24.3 |
Affected products
4- NATS/nats-serverdescription
- osv-coords3 versionspkg:bitnami/natspkg:golang/github.com/nats-io/nats-server/v2pkg:golang/github.com/nats-io/nats-streaming-server
>= 2.2.0, < 2.7.4+ 2 more
- (no CPE)range: >= 2.2.0, < 2.7.4
- (no CPE)range: >= 2.2.0, < 2.7.4
- (no CPE)range: >= 0.15.0, < 0.24.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-6h3m-36w8-hv68ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-26652ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/03/10/1ghsamailing-listx_refsource_MLISTWEB
- advisories.nats.io/CVE/CVE-2022-26652.txtghsax_refsource_CONFIRMWEB
- github.com/nats-io/nats-server/pull/2917ghsaWEB
- github.com/nats-io/nats-server/releases/tag/v2.7.4ghsaWEB
- github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68ghsax_refsource_CONFIRMWEB
- github.com/nats-io/nats-streaming-server/releases/tag/v0.24.3ghsaWEB
News mentions
0No linked articles in our index yet.