Information disclosure via access control bypass in wildcard and queue subscriptions
Summary
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user could receive messages on denied subjects when a wildcard subscription overlapped with a configured wildcard deny rule but was not a subset of it, and queue subscriptions could also affect delivery to legitimate queue consumers. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16. A flaw was found in NATS Server. This could lead to unauthorized information disclosure. Moderate: An information disclosure flaw in NATS Server allows an authenticated user to bypass configured access restrictions, enabling them to receive messages on subjects that should be denied. This occurs when wildcard subscriptions overlap with deny rules or when queue subscriptions interfere with message delivery. Red Hat severity: Moderate — CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). Weakness: CWE-551. Red Hat lists Red Hat Hardened Images as not affected.
- < 2.14.0
- < 2.12.7
- < 2.11.16
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
- 2.14.0
- 2.12.7
- 2.11.16
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.