Access Control Flaw in NATS-Server Affects Cloud Messaging Management
CVE-2025-30215

9.6CRITICAL

Key Information:

Vendor: Nats-io
Status: Nats-server
Vendor: CVE Published:; 16 April 2025

What is CVE-2025-30215?

The NATS-Server, a high-performance messaging server for NATS.io, suffers from an access control flaw affecting versions ranging from 2.2.0 to 2.10.26, as well as 2.11.0. Specifically, this vulnerability allows users with JetStream management permissions in any account to execute administrative actions on JetStream assets belonging to other accounts. This includes access to unprotected APIs that could lead to data destruction while preventing the disclosure of stream contents. To mitigate this risk, users should upgrade to NATS-Server version 2.11.1 or 2.10.27.

Affected Version(s)

nats-server >= 2.2.0, < 2.10.27 < 2.2.0, 2.10.27

nats-server >= 2.11.0-RC.1, < 2.11.1 < 2.11.0-RC.1, 2.11.1

References

https://github.com/nats-io/nats-server/security/advisorie...

x_refsource_CONFIRM

https://advisories.nats.io/CVE/secnote-2025-01.txt

x_refsource_MISC

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2025

Nats-io

What is CVE-2025-30215?

Affected Version(s)

References

CVSS V3.1

Timeline