github.com/nats-io/nats-server/v2
Go12 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting github.com/nats-io/nats-server/v2page 1 of 1
- CVE-2019-13126HIGHCVSS 7.5EG 7.5✓ Fixed in 2.2.02019-07-29
An integer overflow in NATS Server before 2.0.2 allows a remote attacker to crash the server by sending a crafted request. If authentication is enabled, then the remote attacker must have first authenticated.
- CVE-2020-26521HIGHCVSS 7.5EG 7.5✓ Fixed in 2.1.92020-11-06
The JWT library in NATS nats-server before 2.1.9 allows a denial of service (a nil dereference in Go code).
- CVE-2020-26892CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.1.92020-11-06
The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired credentials are handled.
- CVE-2020-28466HIGHCVSS 7.5EG 7.5✓ Fixed in 2.2.02021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS servic…
- CVE-2021-3127HIGHCVSS 7.5EG 7.5✓ Fixed in 2.2.02021-03-16
NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled.
- CVE-2022-24450HIGHCVSS 8.8EG 8.8✓ Fixed in 2.7.22022-02-08
NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature.
- CVE-2022-26652MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.7.42022-03-10
NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected.
- CVE-2022-28357CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.7.42023-09-19
NATS nats-server 2.2.0 through 2.7.4 allows directory traversal because of an unintended path to a management action from a management account.
- CVE-2022-29946MEDIUMCVSS 6.3EG 6.3✓ Fixed in 2.8.22024-07-11
NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on…
- CVE-2023-46129HIGHCVSS 7.5EG 7.5✓ Fixed in 2.10.42023-10-31
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not ju…
- CVE-2023-47090MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.10.22023-10-30
NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each…
- CVE-2025-30215CRITICALCVSS 9.6EG 9.6✓ Fixed in 2.11.12025-04-16
NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject…
Check whether github.com/nats-io/nats-server/v2 is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for github.com/nats-io/nats-server/v2 CVEs against the assets you own.
Start Free Scan →