Go modules package

github.com/nats-io/nats-server/v2

pkg:golang/github.com/nats-io/nats-server/v2

Vulnerabilities (23)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-33249		—	>= 2.11.0, < 2.11.15	2.11.15	Mar 25, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary
CVE-2026-33223		—	< 2.11.15	2.11.15	Mar 25, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from i
CVE-2026-33248		—	< 2.11.15	2.11.15	Mar 25, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of
CVE-2026-33222		—	< 2.11.15	2.11.15	Mar 25, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected a
CVE-2026-33247		—	< 2.11.15	2.11.15	Mar 25, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any us
CVE-2026-33219		—	< 2.11.15	2.11.15	Mar 25, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires
CVE-2026-33218		—	< 2.11.15	2.11.15	Mar 25, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 an
CVE-2026-33246		—	< 2.11.15	2.11.15	Mar 25, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a `Nats-Request-Info:` message header, providing information about a request. This is supposed to provide enough information to allow for account/user identifica
CVE-2026-33217		—	< 2.11.15	2.11.15	Mar 25, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the `$MQTT.>` namespace, allowing MQTT clients to bypass ACL checks for MQTT s
CVE-2026-33216		—	< 2.11.15	2.11.15	Mar 25, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exp
CVE-2026-29785		—	< 2.11.14	2.11.14	Mar 25, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a p
CVE-2026-27889		—	>= 2.2.0, < 2.11.14	2.11.14	Mar 25, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before a
CVE-2026-33215		—	< 2.11.15	2.11.15	Mar 24, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and 2.12
CVE-2026-27571		—	< 2.11.12	2.11.12	Feb 24, 2026	NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation bound the memory
CVE-2025-30215	Cri	9.6	>= 2.11.0-RC.1, < 2.11.1	2.11.1	Apr 16, 2025	NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject namespace in the system account; this is
CVE-2022-29946	Med	6.3	< 2.8.2	2.8.2	Jul 11, 2024	NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit
CVE-2021-32026	low	—	< 2.2.3	2.2.3	May 14, 2024	(This advisory is canonically <https://advisories.nats.io/CVE/CVE-2021-32026.txt>) ### Problem Description The NATS server by default uses a restricted set of modern ciphersuites for TLS. This selection can be overridden through configuration. The defaults include just RSA and
CVE-2023-46129		—	>= 2.10.0, < 2.10.4	2.10.4	Oct 30, 2023	NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is us
CVE-2023-47090		—	>= 2.2.0, < 2.9.23	2.9.23	Oct 30, 2023	NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each user to have an account. The earliest af
CVE-2022-26652		—	>= 2.2.0, < 2.7.4	2.7.4	Mar 10, 2022	NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected.

CVE-2026-33249Mar 25, 2026
affected >= 2.11.0, < 2.11.15fixed 2.11.15
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary
CVE-2026-33223Mar 25, 2026
affected < 2.11.15fixed 2.11.15
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from i
CVE-2026-33248Mar 25, 2026
affected < 2.11.15fixed 2.11.15
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of
CVE-2026-33222Mar 25, 2026
affected < 2.11.15fixed 2.11.15
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected a
CVE-2026-33247Mar 25, 2026
affected < 2.11.15fixed 2.11.15
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any us
CVE-2026-33219Mar 25, 2026
affected < 2.11.15fixed 2.11.15
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires
CVE-2026-33218Mar 25, 2026
affected < 2.11.15fixed 2.11.15
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 an
CVE-2026-33246Mar 25, 2026
affected < 2.11.15fixed 2.11.15
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a `Nats-Request-Info:` message header, providing information about a request. This is supposed to provide enough information to allow for account/user identifica
CVE-2026-33217Mar 25, 2026
affected < 2.11.15fixed 2.11.15
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the `$MQTT.>` namespace, allowing MQTT clients to bypass ACL checks for MQTT s
CVE-2026-33216Mar 25, 2026
affected < 2.11.15fixed 2.11.15
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exp
CVE-2026-29785Mar 25, 2026
affected < 2.11.14fixed 2.11.14
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a p
CVE-2026-27889Mar 25, 2026
affected >= 2.2.0, < 2.11.14fixed 2.11.14
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before a
CVE-2026-33215Mar 24, 2026
affected < 2.11.15fixed 2.11.15
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and 2.12
CVE-2026-27571Feb 24, 2026
affected < 2.11.12fixed 2.11.12
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation bound the memory
CVE-2025-30215CriApr 16, 2025
affected >= 2.11.0-RC.1, < 2.11.1fixed 2.11.1
NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject namespace in the system account; this is
CVE-2022-29946MedJul 11, 2024
affected < 2.8.2fixed 2.8.2
NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit
CVE-2021-32026lowMay 14, 2024
affected < 2.2.3fixed 2.2.3
(This advisory is canonically <https://advisories.nats.io/CVE/CVE-2021-32026.txt>) ### Problem Description The NATS server by default uses a restricted set of modern ciphersuites for TLS. This selection can be overridden through configuration. The defaults include just RSA and
CVE-2023-46129Oct 30, 2023
affected >= 2.10.0, < 2.10.4fixed 2.10.4
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is us
CVE-2023-47090Oct 30, 2023
affected >= 2.2.0, < 2.9.23fixed 2.9.23
NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each user to have an account. The earliest af
CVE-2022-26652Mar 10, 2022
affected >= 2.2.0, < 2.7.4fixed 2.7.4
NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected.

Page 1 of 2