apk package

chainguard/nats-top-fips

pkg:apk/chainguard/nats-top-fips

Vulnerabilities (54)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-33248		—	< 0.6.3-r16	0.6.3-r16	Mar 25, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of
CVE-2026-33222		—	< 0.6.3-r16	0.6.3-r16	Mar 25, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected a
CVE-2026-33247		—	< 0.6.3-r16	0.6.3-r16	Mar 25, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any us
CVE-2026-33219		—	< 0.6.3-r16	0.6.3-r16	Mar 25, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires
CVE-2026-33218		—	< 0.6.3-r16	0.6.3-r16	Mar 25, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 an
CVE-2026-33246		—	< 0.6.3-r16	0.6.3-r16	Mar 25, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a `Nats-Request-Info:` message header, providing information about a request. This is supposed to provide enough information to allow for account/user identifica
CVE-2026-33217		—	< 0.6.3-r16	0.6.3-r16	Mar 25, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the `$MQTT.>` namespace, allowing MQTT clients to bypass ACL checks for MQTT s
CVE-2026-33216		—	< 0.6.3-r16	0.6.3-r16	Mar 25, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exp
CVE-2026-29785		—	< 0.6.3-r15	0.6.3-r15	Mar 25, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a p
CVE-2026-33215		—	< 0.6.3-r16	0.6.3-r16	Mar 24, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and 2.12
CVE-2026-27571		—	< 0.6.3-r13	0.6.3-r13	Feb 24, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation bound the memory
CVE-2025-68121	Cri	10.0	< 0.6.3-r11	0.6.3-r11	Feb 5, 2026	During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
CVE-2025-61732		—	< 0.6.3-r11	0.6.3-r11	Feb 5, 2026	A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
CVE-2025-61728		—	< 0	0	Jan 28, 2026	archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
CVE-2025-61726		—	< 0.6.3-r10	0.6.3-r10	Jan 28, 2026	The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la
CVE-2025-61730		—	< 0.6.3-r10	0.6.3-r10	Jan 28, 2026	During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor i
CVE-2025-61731		—	< 0.6.3-r10	0.6.3-r10	Jan 28, 2026	Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can
CVE-2025-68119		—	< 0.6.3-r10	0.6.3-r10	Jan 28, 2026	Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are
CVE-2025-47914		—	< 0.6.3-r8	0.6.3-r8	Nov 19, 2025	SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
CVE-2025-58181		—	< 0.6.3-r8	0.6.3-r8	Nov 19, 2025	SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

CVE-2026-33248Mar 25, 2026
affected < 0.6.3-r16fixed 0.6.3-r16
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of
CVE-2026-33222Mar 25, 2026
affected < 0.6.3-r16fixed 0.6.3-r16
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected a
CVE-2026-33247Mar 25, 2026
affected < 0.6.3-r16fixed 0.6.3-r16
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any us
CVE-2026-33219Mar 25, 2026
affected < 0.6.3-r16fixed 0.6.3-r16
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires
CVE-2026-33218Mar 25, 2026
affected < 0.6.3-r16fixed 0.6.3-r16
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 an
CVE-2026-33246Mar 25, 2026
affected < 0.6.3-r16fixed 0.6.3-r16
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a `Nats-Request-Info:` message header, providing information about a request. This is supposed to provide enough information to allow for account/user identifica
CVE-2026-33217Mar 25, 2026
affected < 0.6.3-r16fixed 0.6.3-r16
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the `$MQTT.>` namespace, allowing MQTT clients to bypass ACL checks for MQTT s
CVE-2026-33216Mar 25, 2026
affected < 0.6.3-r16fixed 0.6.3-r16
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exp
CVE-2026-29785Mar 25, 2026
affected < 0.6.3-r15fixed 0.6.3-r15
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a p
CVE-2026-33215Mar 24, 2026
affected < 0.6.3-r16fixed 0.6.3-r16
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and 2.12
CVE-2026-27571Feb 24, 2026
affected < 0.6.3-r13fixed 0.6.3-r13
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation bound the memory
CVE-2025-68121CriFeb 5, 2026
affected < 0.6.3-r11fixed 0.6.3-r11
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
CVE-2025-61732Feb 5, 2026
affected < 0.6.3-r11fixed 0.6.3-r11
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
CVE-2025-61728Jan 28, 2026
affected < 0fixed 0
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
CVE-2025-61726Jan 28, 2026
affected < 0.6.3-r10fixed 0.6.3-r10
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la
CVE-2025-61730Jan 28, 2026
affected < 0.6.3-r10fixed 0.6.3-r10
During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor i
CVE-2025-61731Jan 28, 2026
affected < 0.6.3-r10fixed 0.6.3-r10
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can
CVE-2025-68119Jan 28, 2026
affected < 0.6.3-r10fixed 0.6.3-r10
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are
CVE-2025-47914Nov 19, 2025
affected < 0.6.3-r8fixed 0.6.3-r8
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
CVE-2025-58181Nov 19, 2025
affected < 0.6.3-r8fixed 0.6.3-r8
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Page 2 of 3