Skip to content
Threat Feed

Product

NATS Server

5 briefs RSS
high advisory

NATS.io MQTT ACL Bypass Vulnerability

A vulnerability in NATS.io versions before v2.12.6 or v2.11.15 allows MQTT clients to bypass ACL checks for MQTT subjects due to ACLs not being applied in the `$MQTT.>` namespace, potentially allowing unauthorized access and control of MQTT communications.

NATS server nats.io mqtt acl-bypass vulnerability
2r 1t
high advisory

NATS Server MQTT Password Disclosure Vulnerability

The NATS server exposes MQTT passwords in plaintext via monitoring endpoints due to incorrect classification as JWTs, affecting versions before v2.12.6 or v2.11.15.

NATS server nats mqtt credential-access vulnerability
3r 1t
high advisory

NATS Server Credentials Exposure via Monitoring Port

NATS servers configured with command-line credentials expose them through the `/debug/vars` endpoint on the monitoring port, affecting versions prior to 2.11.15 and between 2.12.0-RC.1 and 2.12.6, potentially leading to unauthorized access.

NATS server nats credential-exposure monitoring-port
3r
high advisory

NATS Server Panic via Malicious Compression on Leafnode Port

A vulnerability exists in NATS servers configured to accept leafnode connections where a malicious remote NATS server can trigger a server panic by exploiting compression negotiation on the leafnode port.

NATS server nats denial-of-service compression
2r 2t 1i
high advisory

NATS Server Pre-Authentication Denial-of-Service via Leafnode Handling

A pre-authentication denial-of-service vulnerability exists in NATS servers before versions v2.12.6 and v2.11.15, allowing a remote client connected to the leafnode port to crash the server by sending a malformed message.

NATS Server nats denial-of-service leafnode
2r 1t