CVE-2025-30215

Published: Apr 15, 2025

Modified: Apr 17, 2025

PUBLISHED

CVSS v3.1

9.6

CRITICAL

Description

NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject namespace in the system account; this is partially exposed into regular accounts to allow account holders to manage their assets. Some of the JS API requests were missing access controls, allowing any user with JS management permissions in any account to perform certain administrative actions on any JS asset in any other account. At least one of the unprotected APIs allows for data destruction. None of the affected APIs allow disclosing stream contents. This vulnerability is fixed in v2.11.1 or v2.10.27.

Vendor	Product	Versions
nats-io	nats-server	affected `>= 2.2.0, < 2.10.27` affected `>= 2.11.0-RC.1, < 2.11.1`

Weaknesses (CWE)

CWE-306

CWE-287

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

High

References

https://github.com/nats-io/nats-server/security/advisories/GHSA-fhg8-qxh5-7q3w

x_refsource_CONFIRM

https://advisories.nats.io/CVE/secnote-2025-01.txt

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-30215

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References