CVE-2020-26149

Name of the Vulnerable Software and Affected Versions nats.js versions 2.0.0-201 through 2.0.0-208 nats.ws versions 1.0.0-85 through 1.0.0-110 nats.deno versions prior to 1.0.0-9

Description The issue concerns an information disclosure flaw in the NATS project's preview versions of two NPM packages and one Deno package. This flaw causes the leakage of options, including TLS private credentials, from a client to a server. The nats.js client supports Mutual TLS, and the credentials for the TLS client key are included in the connection configuration options, leading to the disclosure of the client's TLS private key to the server. Most authentication mechanisms are handled after connection and are unaffected. The estimated number of potentially affected devices worldwide is not provided. There is no information about real-world incidents where this issue was exploited.

Recommendations For nats.js versions 2.0.0-201 through 2.0.0-208, upgrade to version 2.0.0-209 or later and reissue any TLS client credentials with new keys. For nats.ws versions 1.0.0-85 through 1.0.0-110, upgrade to version 1.0.0-111 or later. For nats.deno versions prior to 1.0.0-9, upgrade to version 1.0.0-9 or later. As a temporary workaround, consider disabling Mutual TLS until a patch is available. Restrict access to untrusted servers to minimize the risk of exploitation. Avoid disabling TLS verification to prevent authentication credentials from being leaked.