Skip to content

Security data

Weaknesses (CWE)The MITRE CWE weakness catalog
Attack Patterns (CAPEC)MITRE CAPEC attack patterns
CNAsNumbering authorities + report cards
VendorsVulnerabilities by vendor

Tools

CVSS CalculatorScore CVSS 4.0, 3.1, 3.0 & 2.0

Resources

LearnPlain-English security guides
Data SourcesHow we source CVE data

About Us Blog Pricing Book a Demo

Log in

RadicalNotion.AI

We do not sell or share your personal information

© 2026 RadicalNotion.AI

Security Data

CWE Directory
CAPEC Directory
CNA Directory
CNA Report Cards
Data Sources

Calculators

CVSS Calculator
CVSS 4.0
CVSS 3.1
CVSS 3.0
CVSS 2.0

Platform

My Vulnerabilities
Insights
Notifications
Account
Pricing

Company

About us
Blog
Learn
Book a demo

Get Started

Sign up
Log in

Legal

Privacy
Terms

Home
Vendors
Nats Io

nats-io Vulnerabilities: CVEs, CISA KEV & Security Advisories

27 CVEs

nats-io Vulnerabilities

CVE security advisories and vulnerability history for nats-io.

27

Total CVEs

Published

0

In CISA KEV

Exploited in the wild

2

Public exploits

With known exploit

6.7

Avg CVSS

2019–2026

Overview

nats-io has 27 published CVE records since 2019, of which 0 are in CISA's Known Exploited Vulnerabilities catalog and 2 have a known public exploit. The average CVSS base score across scored CVEs is 6.7.

This page aggregates every publicly disclosed vulnerability (CVE) affecting nats-io products, with severity breakdowns, the most-affected products, the most common weakness types, and the latest disclosures.

Severity and exploitation

How the CVSS severity of nats-io's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical1

High8

Medium9

Low0

9 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

0

None of nats-io's CVEs are currently listed in CISA's KEV catalog.

Public exploits

2

2 of nats-io's CVEs have a known public exploit available.

Most affected products

The nats-io products with the most published CVEs.

nats-server25 CVEs
github.com/nats-io/nats-server/v223 CVEs
nats21 CVEs
github.com/nats-io/nats-server20 CVEs
github.com/nats-io/nats-streaming-server3 CVEs
github.com/nats-io/jwt3 CVEs
fedora2 CVEs
nats streaming server2 CVEs

Common weakness types

The CWE weakness categories most often found in nats-io CVEs. Follow any weakness for its full explanation.

CWE-863Incorrect Authorization2 CVEs
CWE-290Authentication Bypass by Spoofing2 CVEs
CWE-770Allocation of Resources Without Limits or Throttling2 CVEs
CWE-256Plaintext Storage of a Password1 CVE
CWE-285Improper Authorization1 CVE
CWE-287Improper Authentication1 CVE
CWE-190Integer Overflow or Wraparound1 CVE
CWE-306Missing Authentication for Critical Function1 CVE

CNAs that assign these CVEs

The CVE Numbering Authorities that publish nats-io CVE records.

GitHub_M16 CVEs
mitre10 CVEs
snyk1 CVEs

Disclosure activity by year

How many nats-io CVEs were published each year.

2019

1

2020

3

2021

2

2022

2

2023

3

2024

1

2025

1

2026

14

Latest nats-io CVEs

The most recently disclosed vulnerabilities affecting nats-io.

NATS: Message tracing can be redirected to arbitrary subject
CWE-863
Medium · CVSS 4.3
EPSS 0.0%2026-03-25
NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing
CWE-290
Medium · CVSS 6.4
EPSS 0.0%2026-03-25
NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching
CWE-287
Medium · CVSS 4.2
EPSS 0.0%2026-03-25
NATS JetStream has an authorization bypass through its Management API
CWE-285
Medium · CVSS 4.9
EPSS 0.0%2026-03-25
NATS credentials are exposed in monitoring port via command-line argv
CWE-215
High · CVSS 7.4
EPSS 0.0%2026-03-25
NATS is vulnerable to pre-auth DoS through WebSockets client service
CWE-770
Medium · CVSS 5.3
EPSS 0.1%2026-03-25
NATS has pre-auth server panic via leafnode handling
CWE-20
High · CVSS 7.5
EPSS 0.1%2026-03-25
NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers
CWE-290
Medium · CVSS 6.4
EPSS 0.0%2026-03-25
NATS allows MQTT clients to bypass ACL checks
CWE-863
High · CVSS 7.1
EPSS 0.0%2026-03-25
NATS has MQTT plaintext password disclosure
CWE-256
High · CVSS 8.6
EPSS 0.1%2026-03-25
NATS Server panic via malicious compression on leafnode port
CWE-476
High · CVSS 7.5
EPSS 0.1%2026-03-25
NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead
CWE-190
High · CVSS 7.5
EPSS 0.1%2026-03-25

Track new nats-io CVEs as they are disclosed and get AI-written analysis and remediation guidance.

Monitor nats-io CVEs

Other vendors

Browse vulnerabilities for other tracked vendors.

microsoft24,097 CVEs Linux19,131 CVEs google14,281 CVEs apple14,019 CVEs oracle10,440 CVEs debian10,201 CVEs IBM8,265 CVEs Adobe7,222 CVEs

Browse all vendors

Frequently asked questions

Common questions about nats-io vulnerabilities.

How many CVEs does nats-io have?

nats-io has 27 published CVE records since 2019, including 15 in the last two years.

How many nats-io CVEs are in CISA KEV?

None of nats-io's CVEs are currently listed in CISA's Known Exploited Vulnerabilities catalog.

Which nats-io products have the most CVEs?

The nats-io products with the most published CVEs are nats-server, github.com/nats-io/nats-server/v2, nats, github.com/nats-io/nats-server, github.com/nats-io/nats-streaming-server.

What are the most common weakness types in nats-io CVEs?

nats-io's CVEs most often map to these CWE weakness types: CWE-863 (Incorrect Authorization), CWE-290 (Authentication Bypass by Spoofing), CWE-770 (Allocation of Resources Without Limits or Throttling), CWE-256 (Plaintext Storage of a Password).

Are there public exploits for nats-io vulnerabilities?

Yes — 2 of nats-io's CVEs have a known public exploit.

How many critical nats-io vulnerabilities are there?

nats-io has 1 critical and 8 high-severity CVEs.

What is the average severity of nats-io CVEs?

The average CVSS base score across nats-io's scored CVEs is 6.7.

References

The MITRE CVE Program (opens in a new tab)
Learn: What is a CVE?
CWE directory: the weakness types these CVEs map to
CNA directory: the CNAs that assign these CVEs

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track nats-io vulnerabilities

Monitor new nats-io vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing

On this page

Overview
Severity and exploitation
Most affected products
Common weakness types
Assigning CNAs
Disclosure activity
Latest CVEs
Other vendors
FAQ
References