CVE-2022-26652

Name of the Vulnerable Software and Affected Versions NATS Server versions 2.2.0 through 2.7.3 NATS Streaming Server versions 0.15.0 through 0.24.2

Description The issue allows for Directory Traversal with write access via an element in a ZIP archive for JetStream streams, enabling arbitrary file write. This is due to inadequate checks on filenames within the archive file, permitting a "Zip Slip" attack during stream restore. The estimated number of potentially affected devices is not specified.

Recommendations For NATS Server versions 2.2.0 through 2.7.3, upgrade to at least version 2.7.4. For NATS Streaming Server versions 0.15.0 through 0.24.2, upgrade to at least version 0.24.3. As a temporary workaround, consider disabling JetStream for untrusted users. If only one NATS account uses JetStream and all users with access to the JetStream API are trusted, apply sandboxing techniques, such as running NATS as an unprivileged user with restricted access, to prevent exploit.