Alex Herrington

**Name of the Vulnerable Software and Affected Versions** NATS nats-server versions 2.2.0 through 2.9.22 NATS nats-server versions 2.10.0 through 2.10.1 **Description** The issue is related to an authentication bypass in NATS nats-server. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each user to have an account. Without any authorization rules in the nats-server, users can connect without authentication. The problem arises from the use of an "authorization" block, whose syntax predates the newer "accounts" block, where users are placed into the implicit global account, "$G". **Recommendations** For NATS nats-server versions 2.2.0 through 2.9.22, upgrade to at least version 2.9.23. For NATS nats-server versions 2.10.0 through 2.10.1, upgrade to at least version 2.10.2. As a temporary workaround, define a second non-system account in the "accounts" block, leaving it empty, to inhibit the implicit creation of a "$G" user and setting it as the `no auth user` target. Alternatively, complete the migration of authorization entries to be inside a named account in the "accounts" block.