Skip to main content
Testkube 2.11.0 is out! Improved insights and metrics, more responsive AI chat, Gateway API support, and much more! Read More

nats-2.14.2-alpine_linux_amd64

digestsha256:8c0cf827d557b41c5973875a2618eb886aa26d20921471f03ed1185702ad1cf2
vulnerabilitiescritical: 0 high: 1 medium: 3 low: 0 unspecified: 3
platformlinux/amd64
size11 MB
packages32
critical: 0 high: 1 medium: 2 low: 0 unspecified: 2stdlib 1.26.3 (golang)

pkg:golang/stdlib@1.26.3

# 2.14.x/alpine3.22/Dockerfile (14:36)
RUN set -eux; \
apkArch="$(apk --print-arch)"; \
case "$apkArch" in \
aarch64) natsArch='arm64'; sha256='15fd0c3438e7178e5316e63be68373ad581c8d78db26e649113aa303b74e5e58' ;; \
armhf) natsArch='arm6'; sha256='1c2a2b9c52d9232b58ce092ba093c46c5da6f47b1ce9b1342e3ae9465de6e758' ;; \
armv7) natsArch='arm7'; sha256='6bc20a6f439d72f71dae981ffe3430197eb6e64c0d2c6000b4b4b105904fbd3c' ;; \
x86_64) natsArch='amd64'; sha256='b3e7b14eb10c895fd90c2dacdb6b65bd3208adcc9524dd7689ba2c1024e6b97a' ;; \
x86) natsArch='386'; sha256='654a79c090daa27dc9bc638c09e28cb0bdbed5b24e075608357b475367d47edb' ;; \
s390x) natsArch='s390x'; sha256='acb6081c49e101119fb35a3cb2d77e7970440e968583c61aedf6e64e4f5023d3' ;; \
ppc64le) natsArch='ppc64le'; sha256='05733a36a22ece31a23059147fbb7a9b27bb86e9770ffb1b6ba7478603b75330' ;; \
loong64) natsArch='loong64'; sha256='0a31d33cc3430ec9f2b51f789afee4a21fb5d28447d52c661acfd9ea46f5d7fb' ;; \
*) echo >&2 "error: $apkArch is not supported!"; exit 1 ;; \
esac; \
\
wget -O nats-server.tar.gz "https://github.com/nats-io/nats-server/releases/download/v${NATS_SERVER}/nats-server-v${NATS_SERVER}-linux-${natsArch}.tar.gz"; \
echo "${sha256} *nats-server.tar.gz" | sha256sum -c -; \
\
apk add --no-cache ca-certificates tzdata; \
\
tar -xf nats-server.tar.gz; \
rm nats-server.tar.gz; \
mv "nats-server-v${NATS_SERVER}-linux-${natsArch}/nats-server" /usr/local/bin; \
rm -rf "nats-server-v${NATS_SERVER}-linux-${natsArch}";

high : CVE--2026--42504

Affected range
>=1.26.0-0
<1.26.4
Fixed version1.26.4
EPSS Score0.560%
EPSS Percentile43rd percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

medium : CVE--2026--27145

Affected range
>=1.26.0-0
<1.26.4
Fixed version1.26.4
EPSS Score0.939%
EPSS Percentile57th percentile
Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

medium : CVE--2026--42507

Affected range
>=1.26.0-0
<1.26.4
Fixed version1.26.4
EPSS Score0.370%
EPSS Percentile29th percentile
Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

unspecified : CVE--2026--42505

Affected range
>=1.26.0-0
<1.26.5
Fixed version1.26.5
EPSS Score0.413%
EPSS Percentile33rd percentile
Description

Handshakes which used Encrypted Client Hello could be de-anonymized by a passive network observer due to a disclosure of pre-shared key identities in the unencrypted client hello.

unspecified : CVE--2026--39822

Affected range
>=1.26.0-0
<1.26.5
Fixed version1.26.5
EPSS Score0.183%
EPSS Percentile8th percentile
Description

On Unix systems, opening a file in an os.Root improperly follows symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in /.

For example, 'root.Open("symlink/")' will open "symlink" even when "symlink" is a symbolic link pointing outside of the root.

critical: 0 high: 0 medium: 1 low: 0 busybox 1.37.0-r20 (apk)

pkg:apk/alpine/busybox@1.37.0-r20?os_name=alpine&os_version=3.22

# 2.14.x/alpine3.22/Dockerfile (0:0)


medium : CVE--2025--60876

Affected range<=1.37.0-r20
Fixed versionNot Fixed
EPSS Score0.285%
EPSS Percentile20th percentile
Description
critical: 0 high: 0 medium: 0 low: 0 unspecified: 1golang.org/x/crypto 0.52.0 (golang)

pkg:golang/golang.org/x/crypto@0.52.0

# 2.14.x/alpine3.22/Dockerfile (14:36)
RUN set -eux; \
apkArch="$(apk --print-arch)"; \
case "$apkArch" in \
aarch64) natsArch='arm64'; sha256='15fd0c3438e7178e5316e63be68373ad581c8d78db26e649113aa303b74e5e58' ;; \
armhf) natsArch='arm6'; sha256='1c2a2b9c52d9232b58ce092ba093c46c5da6f47b1ce9b1342e3ae9465de6e758' ;; \
armv7) natsArch='arm7'; sha256='6bc20a6f439d72f71dae981ffe3430197eb6e64c0d2c6000b4b4b105904fbd3c' ;; \
x86_64) natsArch='amd64'; sha256='b3e7b14eb10c895fd90c2dacdb6b65bd3208adcc9524dd7689ba2c1024e6b97a' ;; \
x86) natsArch='386'; sha256='654a79c090daa27dc9bc638c09e28cb0bdbed5b24e075608357b475367d47edb' ;; \
s390x) natsArch='s390x'; sha256='acb6081c49e101119fb35a3cb2d77e7970440e968583c61aedf6e64e4f5023d3' ;; \
ppc64le) natsArch='ppc64le'; sha256='05733a36a22ece31a23059147fbb7a9b27bb86e9770ffb1b6ba7478603b75330' ;; \
loong64) natsArch='loong64'; sha256='0a31d33cc3430ec9f2b51f789afee4a21fb5d28447d52c661acfd9ea46f5d7fb' ;; \
*) echo >&2 "error: $apkArch is not supported!"; exit 1 ;; \
esac; \
\
wget -O nats-server.tar.gz "https://github.com/nats-io/nats-server/releases/download/v${NATS_SERVER}/nats-server-v${NATS_SERVER}-linux-${natsArch}.tar.gz"; \
echo "${sha256} *nats-server.tar.gz" | sha256sum -c -; \
\
apk add --no-cache ca-certificates tzdata; \
\
tar -xf nats-server.tar.gz; \
rm nats-server.tar.gz; \
mv "nats-server-v${NATS_SERVER}-linux-${natsArch}/nats-server" /usr/local/bin; \
rm -rf "nats-server-v${NATS_SERVER}-linux-${natsArch}";

unspecified : GO--2026--5932

Affected range>=0
Fixed versionNot Fixed
Description

The golang.org/x/crypto/openpgp package is unsafe by design, has numerous known security issues, is not maintained, and should not be used.

If you are required to interoperate with OpenPGP systems and need a maintained package, consider github.com/ProtonMail/go-crypto/openpgp which is a maintained fork that aims to be a drop-in replacement for this package.