Nats Nats

  1. Vendors
  2. Nats

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Nats product.

RSS Feeds for Nats security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Nats products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Nats Sorted by Most Security Vulnerabilities since 2018

Nats Server6 vulnerabilities

Nats Streaming Server2 vulnerabilities

Nats Jwt Library1 vulnerability

Nats Nkeys1 vulnerability

By the Year

In 2026 there have been 0 vulnerabilities in Nats. Nats did not have any published security vulnerabilities last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 0 0.00
2024 0 0.00
2023 1 7.50
2022 2 7.65
2021 2 7.50
2020 0 0.00
2019 1 0.00

It may take a day or so for new Nats vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Nats Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2023-46129 Oct 31, 2023
NATS Server 2.10.x nkeys Encryption Zero-Key Vulnerability NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts. In nkeys versions 0.4.0 through 0.4.5, corresponding with NATS server versions 2.10.0 through 2.10.3, the nkeys library's `xkeys` encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was actually to an all-zeros key. This affects encryption only, not signing. FIXME: FILL IN IMPACT ON NATS-SERVER AUTH CALLOUT SECURITY. nkeys Go library 0.4.6, corresponding with NATS Server 2.10.4, has a patch for this issue. No known workarounds are available. For any application handling auth callouts in Go, if using the nkeys library, update the dependency, recompile and deploy that in lockstep.
Nats Server
Nkeys
CVE-2022-26652 Mar 10, 2022
NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected.
Nats Server
Nats Streaming Server
CVE-2022-24450 Feb 08, 2022
NATS nats-server before 2.7.2 has Incorrect Access Control NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature.
Nats Server
Nats Streaming Server
CVE-2021-3127 Mar 16, 2021
NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled.
Jwt Library
Nats Server
CVE-2020-28466 Mar 07, 2021
This affects all versions of package github.com/nats-io/nats-server/server This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened risk. Any remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers. Fixes for denial of service issues with no threat of remote execution, when limited to account holders, are likely to just be committed to the main development branch with no special attention. Those who are running such services are encouraged to build regularly from git.
Nats Server
CVE-2019-13126 Jul 29, 2019
An integer overflow in NATS Server before 2.0.2 allows a remote attacker to crash the server by sending a crafted request An integer overflow in NATS Server before 2.0.2 allows a remote attacker to crash the server by sending a crafted request. If authentication is enabled, then the remote attacker must have first authenticated.
Nats Server
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.