Google Git
Sign in
go / vulndb / 4e5291669727401b6ee1e1cffc20c982c551862d / . / data / reports / GO-2025-3600.yaml
blob: fca5a3485140d69b34e422a14b9d344b0b27ff51 [file] [log] [blame]
id: GO-2025-3600
modules:
- module: github.com/nats-io/nats-server/v2
versions:
- introduced: 2.2.0
- fixed: 2.10.27
- introduced: 2.11.0
- fixed: 2.11.1
vulnerable_at: 2.10.26
packages:
- package: github.com/nats-io/nats-server/v2/server
symbols:
- ConfigureOptions
- New
- NewServer
- Options.ProcessConfigFile
- ProcessConfigFile
- Run
- Server.EnableJetStream
- Server.Reload
- Server.ReloadOptions
- Server.Start
derived_symbols:
- Account.AddServiceImport
- Account.AddServiceImportWithClaim
- Account.DisableJetStream
- Account.EnableJetStream
- Account.RestoreStream
- Account.TrackServiceExport
- Account.TrackServiceExportWithSampling
- Account.UnTrackServiceExport
- CacheDirAccResolver.Reload
- CacheDirAccResolver.Start
- DirAccResolver.Fetch
- DirAccResolver.Reload
- DirAccResolver.Start
- DirAccResolver.Store
- DirJWTStore.Merge
- DirJWTStore.Pack
- DirJWTStore.PackWalk
- DirJWTStore.Reload
- DirJWTStore.SaveAcc
- DirJWTStore.SaveAct
- NewCacheDirAccResolver
- NewDirAccResolver
- NewExpiringDirJWTStore
- Server.AcceptLoop
- Server.AccountStatz
- Server.Accountz
- Server.ActivePeers
- Server.Connz
- Server.DisableJetStream
- Server.DisconnectClientByID
- Server.Gatewayz
- Server.HandleAccountStatz
- Server.HandleAccountz
- Server.HandleConnz
- Server.HandleGatewayz
- Server.HandleHealthz
- Server.HandleIPQueuesz
- Server.HandleSubsz
- Server.HandleVarz
- Server.InProcessConn
- Server.Ipqueuesz
- Server.JetStreamEnabledForDomain
- Server.JetStreamIsStreamAssigned
- Server.JetStreamIsStreamCurrent
- Server.JetStreamSnapshotMeta
- Server.JetStreamSnapshotStream
- Server.JetStreamStepdownConsumer
- Server.JetStreamStepdownStream
- Server.LameDuckShutdown
- Server.LookupAccount
- Server.LookupOrRegisterAccount
- Server.NumLoadedAccounts
- Server.NumSubscriptions
- Server.RegisterAccount
- Server.SetDefaultSystemAccount
- Server.SetSystemAccount
- Server.Shutdown
- Server.StartHTTPMonitoring
- Server.StartHTTPSMonitoring
- Server.StartMonitoring
- Server.StartProfiler
- Server.StartRouting
- Server.Subsz
- Server.UpdateAccountClaims
- Server.Varz
- client.RegisterNkeyUser
- client.RegisterUser
- clusterOption.Apply
- leafNodeOption.Apply
- maxConnOption.Apply
- mqttMaxAckPendingReload.Apply
- raft.AdjustClusterSize
- raft.InstallSnapshot
- raft.PauseApply
- raft.ProposeKnownPeers
- raft.ProposeRemovePeer
- raft.ResumeApply
- raft.SendSnapshot
- raft.StepDown
- raft.UpdateKnownPeers
- routesOption.Apply
summary: |-
Missing ACLs on JavaScript APIs allowing privilege escalation
github.com/nats-io/nats-server
description: Missing
cves:
- CVE-2025-30215
ghsas:
- GHSA-fhg8-qxh5-7q3w
credits:
- Thomas Morgan
references:
- advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-fhg8-qxh5-7q3w
- web: https://advisories.nats.io/CVE/secnote-2025-01.txt
- fix: https://github.com/nats-io/nats-server/commit/3e7e4645a24e829a36b4210f2d7c34dea7f7a424
source:
id: go-security-team
created: 2025-04-10T12:58:14.561598-04:00
review_status: REVIEWED