github.com/nats-io/nats-server
Go13 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting github.com/nats-io/nats-serverpage 1 of 1
- CVE-2019-13126HIGHCVSS 7.5EG 7.52019-07-29
An integer overflow in NATS Server before 2.0.2 allows a remote attacker to crash the server by sending a crafted request. If authentication is enabled, then the remote attacker must have first authenticated.
- CVE-2020-28466HIGHCVSS 7.5EG 7.52021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS servic…
- CVE-2022-24450HIGHCVSS 8.8EG 8.82022-02-08
NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature.
- CVE-2022-26652MEDIUMCVSS 6.5EG 6.52022-03-10
NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected.
- CVE-2022-28357CRITICALCVSS 9.8EG 9.82023-09-19
NATS nats-server 2.2.0 through 2.7.4 allows directory traversal because of an unintended path to a management action from a management account.
- CVE-2022-29946MEDIUMCVSS 6.3EG 6.32024-07-11
NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on…
- CVE-2026-27889HIGHCVSS 7.5EG 7.52026-03-25
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic i…
- CVE-2026-29785HIGHCVSS 7.5EG 7.52026-03-25
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect ca…
- CVE-2026-33216HIGHCVSS 7.5EG 7.52026-03-25
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authen…
- CVE-2026-33217MEDIUMCVSS 6.5EG 6.52026-03-25
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the `$MQTT.>` namespace, allowing MQT…
- CVE-2026-33218HIGHCVSS 7.5EG 7.52026-03-25
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed messag…
- CVE-2026-33219MEDIUMCVSS 5.3EG 5.32026-03-25
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-se…
- CVE-2026-33247MEDIUMCVSS 5.3EG 5.32026-03-25
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), the…
Check whether github.com/nats-io/nats-server is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for github.com/nats-io/nats-server CVEs against the assets you own.
Start Free Scan →