CVE-2020-26521

Name of the Vulnerable Software and Affected Versions NATS Server versions 2 prior to 2.1.9 JWT library versions prior to 1.1.0

Description A malicious account can create and sign a User JWT with a state not created by the normal tooling, such that decoding by the NATS JWT library would attempt a nil dereference, aborting execution. This can cause a Denial of Service due to process termination in the NATS Server. The issue is related to the NATS account system, where an Operator trusted by the servers signs Accounts, and each Account can then create and sign Users within their account.

Recommendations Upgrade the NATS server to version 2.1.9 or later if using NATS Accounts. Upgrade the JWT dependency in any application using it to version 1.1.0 or later. If your NATS servers do not trust any accounts which are managed by untrusted entities, then malformed User credentials are unlikely to be encountered, and you may not need to take immediate action. However, upgrading is still recommended to prevent potential issues.