Access Control Flaw in NATS-Server Affects Cloud Messaging Management
CVE-2025-30215
9.6CRITICAL
Key Information:
- Vendor
- Nats-io
- Status
- Nats-server
- Vendor
- CVE Published:
- 16 April 2025
Summary
The NATS-Server, a high-performance messaging server for NATS.io, suffers from an access control flaw affecting versions ranging from 2.2.0 to 2.10.26, as well as 2.11.0. Specifically, this vulnerability allows users with JetStream management permissions in any account to execute administrative actions on JetStream assets belonging to other accounts. This includes access to unprotected APIs that could lead to data destruction while preventing the disclosure of stream contents. To mitigate this risk, users should upgrade to NATS-Server version 2.11.1 or 2.10.27.
Affected Version(s)
nats-server >= 2.2.0, < 2.10.27 < 2.2.0, 2.10.27
nats-server >= 2.11.0-RC.1, < 2.11.1 < 2.11.0-RC.1, 2.11.1
References
CVSS V3.1
Score:
9.6
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published