CVE-2023-46129

Name of the Vulnerable Software and Affected Versions nkeys versions 0.4.0 through 0.4.5 NATS Server versions 2.10.0 through 2.10.3

Description NATS.io is a high performance open source pub-sub distributed communication technology. The cryptographic key handling library, nkeys, recently gained support for encryption. In nkeys versions 0.4.0 through 0.4.5, the xkeys encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was actually to an all-zeros key. This affects encryption only, not signing.

Recommendations For nkeys versions 0.4.0 through 0.4.5, update the dependency to version 0.4.6 or later, recompile, and deploy in lockstep. For NATS Server versions 2.10.0 through 2.10.3, upgrade to version 2.10.4 or later.