CVE-2025-30215 - NATS-Server Cross-Account Administrative Access Vulnerability: Data Destruction Risk in JetStream Assets Management

A vulnerability in the NATS-Server allows unauthorized access to perform administrative actions on JetStream assets, including data destruction through unprotected APIs available for users having JS management permissions. The vulnerability is identified as CVE-2025-30215 and has been fixed in NATS-Server v2.11.1 and v2.10.27.

NATS-Server Background

NATS-Server is a high-performance server for NATS.io, which is a cloud and edge native messaging system designed for distributed, cloud-native and IoT environments. It provides developers with the ability to build robust and scalable messaging systems that enable spontaneous data exchange between applications and services.

Affected Versions

The vulnerability affects NATS-Server versions starting from 2.2. but prior to 2.10.27 and 2.11.1.

Vulnerability Description

In vulnerable NATS-Server versions, JetStream assets management happens with messages in the $JS subject namespace within the system account. This is partially exposed to regular accounts to enable account holders to manage their assets. However, some JS API requests were lacking proper access controls, allowing unauthorized users who possess JS management permissions in any account to execute certain administrative actions on JetStream assets in other accounts. At least one of the unprotected APIs allows for data destruction, although none of the compromised APIs permit disclosing stream contents.

Exploit Details

A malicious user with JS management permissions in their account could make an API request to alter or modify JetStream assets of other accounts, leading to data corruption or destruction.

Here's a code snippet showcasing how an API request could be sent in a vulnerable environment

// this is an example using a vulnerable instance of NATS-server
const NATS = require('nats');
const client = NATS.connect();

// assuming user has JS management permission
client.subscribe('$JS.ACK.messages', (msg, reply, subject) => {
  // process the malicious administrative action
  console.log('Received message on subject: %s', subject);
});

client.publish('$JS.ACK.messages', 'alter_or_delete_operation_data');

Solution

The vulnerability has been fixed in NATS-Server v2.11.1 and v2.10.27.

Mitigation

Upgrade your NATS-Server installation to version 2.11.1 or 2.10.27 to address this vulnerability. The upgrade will fix the access control issue by enforcing adequate access controls on the JS APIs.

Additionally, review your user accounts and their associated permissions to ensure that only authorized users have access to sensitive API functionalities.

References

1. NATS-Server Homepage
2. GitHub Repository - NATS-Server
3. NATS-Server 2.11.1 Release Notes
4. NATS-Server 2.10.27 Release Notes

Disclaimer

This post is provided for informational purposes only and should not be construed as legal or technical advice. The opinions expressed herein are the author's own and not necessarily endorsed by any organization or entity. Any actions taken based on the information provided should be done with due diligence and full understanding of the associated risks.

Timeline

Published on: 04/16/2025 00:15:19 UTC
Last modified on: 04/17/2025 15:15:55 UTC