Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

nats-io — Vulnerabilities & Security Advisories 16

Browse all 16 CVE security advisories affecting nats-io. AI-powered Chinese analysis, POCs, and references for each vulnerability.

NATS is an open-source messaging system focused on high-performance event streaming and microservices communication. Historically, vulnerabilities have included remote code execution, cross-site scripting, and privilege escalation, often stemming from improper input validation and authentication flaws. The project has addressed security through regular updates and a bug bounty program. While no major public incidents have been widely documented, the 16 recorded CVEs highlight potential risks in default configurations and third-party integrations. Security teams should prioritize hardening deployments, applying patches promptly, and implementing network segmentation to mitigate exposure.

Top products by nats-io: nats-server nkeys
CVE IDTitleCVSSSeverityPublished
CVE-2026-33249 NATS: Message tracing can be redirected to arbitrary subject — nats-serverCWE-863 4.3 Medium2026-03-25
CVE-2026-33223 NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing — nats-serverCWE-290 6.4 Medium2026-03-25
CVE-2026-33248 NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching — nats-serverCWE-287 4.2 Medium2026-03-25
CVE-2026-33222 NATS JetStream has an authorization bypass through its Management API — nats-serverCWE-285 4.9 Medium2026-03-25
CVE-2026-33247 NATS credentials are exposed in monitoring port via command-line argv — nats-serverCWE-215 7.4 High2026-03-25
CVE-2026-33219 NATS is vulnerable to pre-auth DoS through WebSockets client service — nats-serverCWE-770 5.3 Medium2026-03-25
CVE-2026-33218 NATS has pre-auth server panic via leafnode handling — nats-serverCWE-20 7.5 High2026-03-25
CVE-2026-33246 NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers — nats-serverCWE-287 6.4 Medium2026-03-25
CVE-2026-33217 NATS allows MQTT clients to bypass ACL checks — nats-serverCWE-863 7.1 High2026-03-25
CVE-2026-33216 NATS has MQTT plaintext password disclosure — nats-serverCWE-256 8.6 High2026-03-25
CVE-2026-29785 NATS Server panic via malicious compression on leafnode port — nats-serverCWE-476 7.5 High2026-03-25
CVE-2026-27889 NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead — nats-serverCWE-190 7.5 High2026-03-25
CVE-2026-33215 NATS is vulnerable to MQTT hijacking via Client ID — nats-serverCWE-287 6.5 Medium2026-03-24
CVE-2026-27571 nats-server websockets are vulnerable to pre-auth memory DoS — nats-serverCWE-409 5.9 Medium2026-02-24
CVE-2025-30215 NATS-Server Fails to Authorize Certain Jetstream Admin APIs — nats-serverCWE-306 9.6 Critical2025-04-15
CVE-2023-46129 xkeys Seal encryption used fixed key for all encryption — nkeysCWE-321 7.5 High2023-10-30

This page lists every published CVE security advisory associated with nats-io. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.