    github.com/nats-io/nats-server/v2 2.12.5 (golang)
pkg:golang/github.com/nats-io/nats-server@2.12.5#v2
 Plaintext Storage of a Password
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 8.6 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N | | EPSS Score | 0.044% | | EPSS Percentile | 13th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an MQTT client interface.
Problem Description
For MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
Ensure monitoring end-points are adequately secured.
Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.
 Improper Input Validation
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 7.5 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | | EPSS Score | 0.166% | | EPSS Percentile | 38th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers.
Problem Description
A client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
- Disable leafnode support if not needed.
- Restrict network connections to your leafnode port, if plausible without compromising the service offered.
References
 Insertion of Sensitive Information Into Debugging Code
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 7.4 | | CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N | | EPSS Score | 0.033% | | EPSS Percentile | 10th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an optional monitoring port, which provides access to sensitive data. The nats-server can take certain configuration options on the command-line instead of requiring a configuration file.
Problem Description
If a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled.
The /debug/vars end-point contains an unredacted copy of argv.
Patches
Fixed in nats-server 2.12.6 & 2.11.15
Workarounds
The NATS Maintainers are bemused at the concept of someone deploying a real configuration using --pass to avoid a config file, but also enabling monitoring.
Configure credentials inside a configuration file instead of via argv.
Do not enable the monitoring port if using secrets in argv.
Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources.
 Incorrect Authorization
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 7.1 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N | | EPSS Score | 0.027% | | EPSS Percentile | 8th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an MQTT client interface.
Problem Description
When using ACLs on message subjects, these ACLs were not applied in the $MQTT.> namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
None.
 Improper Authentication
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 6.5 | | CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L | | EPSS Score | 0.015% | | EPSS Percentile | 3rd percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an MQTT client interface.
Problem Description
Sessions and Messages can by hijacked via MQTT Client ID malfeasance.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
None.
Resources
 Improper Authentication
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 6.4 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N | | EPSS Score | 0.026% | | EPSS Percentile | 7th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers. NATS messages can have headers.
Problem Description
The nats-server offers a Nats-Request-Info: message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NATS clients could make their own decisions on how to trust a message, provided that they trust the nats-server as a broker.
A leafnode connecting to a nats-server is not fully trusted unless the system account is bridged too. Thus identity claims should not have propagated unchecked.
Thus NATS clients relying upon the Nats-Request-Info: header could be spoofed.
Does not directly affect the nats-server itself, but the CVSS Confidentiality and Integrity scores are based upon what a hypothetical client might choose to do with this NATS header.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
None.
 Authentication Bypass by Spoofing
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 6.4 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N | | EPSS Score | 0.026% | | EPSS Percentile | 7th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server offers a Nats-Request-Info: message header, providing information about a request.
Problem Description
The NATS message header Nats-Request-Info: is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective.
An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
None.
 Allocation of Resources Without Limits or Throttling
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 5.3 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | | EPSS Score | 0.079% | | EPSS Percentile | 23rd percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server offers a WebSockets client service, used in deployments where browsers are the NATS clients.
Problem Description
A malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data.
This is a milder variant of NATS-advisory-ID 2026-02 (aka CVE-2026-27571; GHSA-qrvq-68c2-7grw).
That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
Disable websockets if not required for project deployment.
 Improper Authorization
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 4.9 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N | | EPSS Score | 0.025% | | EPSS Percentile | 7th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The persistent storage feature, JetStream, has a management API which has many features, amongst which are backup and restore.
Problem Description
Users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
If developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.
 Incorrect Authorization
| Affected range | >=2.12.0-preview.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 4.3 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N | | EPSS Score | 0.027% | | EPSS Percentile | 8th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server supports telemetry on messages, using the per-message NATS headers.
Problem Description
A valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission.
The payload is a valid trace message and not chosen by the attacker.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
None.
 Improper Authentication
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 4.2 | | CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N | | EPSS Score | 0.018% | | EPSS Percentile | 5th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
One authentication model supported is mTLS, deriving the NATS client identity from properties of the TLS Client Certificate.
Problem Description
When using mTLS for client identity, with verify_and_map to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass.
This does require a valid certificate from a CA already trusted for client certificates, and DN naming patterns which the NATS maintainers consider highly unlikely.
So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their DN construction patterns might conceivably be impacted.
Affected Versions
Fixed in nats-server 2.12.6 & 2.11.15
Workarounds
Developers should review their CA issuing practices.
|
  github.com/docker/docker 28.5.2+incompatible (golang)
pkg:golang/github.com/docker/docker@28.5.2%2Bincompatible
 Authentication Bypass Using an Alternate Path or Channel
| Affected range | <29.3.1 | | Fixed version | Not Fixed | | CVSS Score | 8.8 | | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | | EPSS Score | 0.014% | | EPSS Percentile | 2nd percentile |
Description
Summary
A security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.
This is an incomplete fix for CVE-2024-41110.
Impact
If you don't use AuthZ plugins, you are not affected.
Using a specially-crafted API request, an attacker could make the Docker daemon forward the request to an authorization plugin without the body. The authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.
Anyone who depends on authorization plugins that introspect the request body to make access control decisions is potentially impacted.
Workarounds
If unable to update immediately:
- Avoid using AuthZ plugins that rely on request body inspection for security decisions.
- Restrict access to the Docker API to trusted parties, following the principle of least privilege.
Credits
Resources
 Off-by-one Error
| Affected range | <29.3.1 | | Fixed version | Not Fixed | | CVSS Score | 6.8 | | CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N | | EPSS Score | 0.013% | | EPSS Percentile | 2nd percentile |
Description
Summary
A security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user.
Plugins that request exactly one privilege are also affected, because no comparison is performed at all.
Impact
If plugins are not in use, there is no impact.
When a plugin is installed, the daemon computes the privileges required by the plugin's configuration and compares them with the privileges approved during installation. A malicious plugin can exploit this bug so that the daemon accepts privileges that differ from what was intended to be approved.
Anyone who depends on the plugin installation approval flow as a meaningful security boundary is potentially impacted.
Depending on the privilege set involved, this may include highly sensitive plugin permissions such as broad device access.
For consideration: exploitation still requires a plugin to be installed from a malicious source, and Docker plugins are relatively uncommon. Docker Desktop also does not support plugins.
Workarounds
If unable to update immediately:
- Do not install plugins from untrusted sources
- Carefully review all privileges requested during
docker plugin install
- Restrict access to the Docker daemon to trusted parties, following the principle of least privilege
- Avoid relying on plugin privilege approval as the only control boundary for sensitive environments
Credits
|
 github.com/buger/jsonparser 1.1.1 (golang)
pkg:golang/github.com/buger/jsonparser@1.1.1
 Out-of-bounds Read
| Affected range | <=1.1.1 | | Fixed version | 1.1.2 | | CVSS Score | 7.5 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | | EPSS Score | 0.054% | | EPSS Percentile | 17th percentile |
Description
The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.
|
github.com/go-jose/go-jose/v4 4.1.3 (golang)
pkg:golang/github.com/go-jose/go-jose@4.1.3#v4
 Uncaught Exception
| Affected range | <4.1.4 | | Fixed version | 4.1.4 | | CVSS Score | 7.5 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Description
Impact
Decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key.
This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected.
This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common.
Panics can lead to denial of service.
Fixed In
4.1.4 and v3.0.5
Workarounds
If the list of keyAlgorithms passed to ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() does not include key wrapping algorithms (those ending in KW), your application is unaffected.
If your application uses key wrapping, you can prevalidate to the JWE objects to ensure the encrypted_key field is nonempty. If your application accepts JWE Compact Serialization, apply that validation to the corresponding field of that serialization (the data between the first and second .).
Thanks
Thanks to Datadog's Security team for finding this issue.
|
github.com/docker/cli 29.3.0+incompatible (golang)
pkg:golang/github.com/docker/cli@29.3.0%2Bincompatible
| Affected range | >=19.03.0+incompatible | | Fixed version | Not Fixed | | EPSS Score | 0.023% | | EPSS Percentile | 6th percentile |
Description
Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows in github.com/docker/cli
|
  github.com/go-git/go-git/v5 5.16.5 (golang)
pkg:golang/github.com/go-git/go-git@5.16.5#v5
 Integer Underflow (Wrap or Wraparound)
| Affected range | >=5.0.0
<=5.17.0
| | Fixed version | 5.17.1 | | CVSS Score | 5 | | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H | | EPSS Score | 0.013% | | EPSS Percentile | 2nd percentile |
Description
Impact
A vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition.
Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files.
Patches
Users should upgrade to v5.17.1, or the latest v6 pseudo-version, in order to mitigate this vulnerability.
Credit
The go-git maintainers thank @kq5y for finding and reporting this issue privately to the go-git project.
 Improper Validation of Array Index
| Affected range | <=5.17.0 | | Fixed version | 5.17.1 | | CVSS Score | 2.8 | | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L | | EPSS Score | 0.014% | | EPSS Percentile | 2nd percentile |
Description
Impact
go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing.
This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue.
An attacker able to supply a crafted .git/index file can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition.
Exploitation requires the ability to modify or inject a Git index file within the local repository in disk. This typically implies write access to the .git directory.
Patches
Users should upgrade to v5.17.1, or the latest v6 pseudo-version, in order to mitigate this vulnerability.
Credit
go-git maintainers thank @kq5y for finding and reporting this issue privately to the go-git project.
|
github.com/cloudflare/circl 1.6.1 (golang)
pkg:golang/github.com/cloudflare/circl@1.6.1
 Incorrect Calculation
| Affected range | <1.6.3 | | Fixed version | 1.6.3 | | CVSS Score | 2.9 | | CVSS Vector | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber | | EPSS Score | 0.022% | | EPSS Percentile | 6th percentile |
Description
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.
ECDH and ECDSA signing relying on this curve are not affected.
The bug was fixed in v1.6.3.
|
 stdlib 1.26.1 (golang)
pkg:golang/stdlib@1.26.1
| Affected range | >=1.26.0-0
<1.26.2
| | Fixed version | 1.26.2 |
Description
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint.
This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
| Affected range | >=1.26.0-0
<1.26.2
| | Fixed version | 1.26.2 |
Description
Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.
These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.
| Affected range | >=1.26.0-0
<1.26.2
| | Fixed version | 1.26.2 |
Description
tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.
| Affected range | >=1.26.0-0
<1.26.2
| | Fixed version | 1.26.2 |
Description
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.
This only affects TLS 1.3.
| Affected range | >=1.26.0-0
<1.26.2
| | Fixed version | 1.26.2 |
Description
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.
The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
| Affected range | >=1.26.0-0
<1.26.2
| | Fixed version | 1.26.2 |
Description
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.
This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
| Affected range | >=1.26.0-0
<1.26.2
| | Fixed version | 1.26.2 |
Description
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
|
 github.com/jackc/pgx/v5 5.9.1 (golang)
pkg:golang/github.com/jackc/pgx@5.9.1#v5
| Affected range | >=0 | | Fixed version | Not Fixed |
Description
Memory-safety vulnerability in github.com/jackc/pgx/v5.
| Affected range | >=0 | | Fixed version | Not Fixed |
Description
Memory-safety vulnerability in github.com/jackc/pgx/v5.
|
