CVE-2025-30215

CVSS v3.1

9.6

Critical

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

Name of the Vulnerable Software and Affected Versions NATS-Server versions 2.2.0 through 2.10.27 NATS-Server versions prior to 2.11.1

Description The issue is related to the absence of access controls for the JetStream API in NATS-Server, allowing any user with JS management permissions in any account to perform certain administrative actions on any JS asset in any other account. At least one of the unprotected APIs allows for data destruction. None of the affected APIs allow disclosing stream contents.

Recommendations For versions 2.2.0 through 2.10.27, update to version 2.10.27 or later. For versions prior to 2.11.1, update to version 2.11.1 or later. As a temporary workaround, consider restricting access to the JetStream API to minimize the risk of exploitation.

Exploit

Fix

LPE

Improper Authorization

Improper Authentication

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285CWE-287CWE-306CWE-648

Related Identifiers

AZL-60399

AZL-60406

BDU:2025-04232

BIT-NATS-2025-30215

CVE-2025-30215

GHSA-FHG8-QXH5-7Q3W

GO-2025-3600

OPENSUSE-SU-2025:15014-1

Affected Products

Debian

Nats Server

CVE-2025-30215

Weakness Enumeration

Related Identifiers

Affected Products

References · 29