CVE-2025-30215
📋 TL;DR
This CVE-2025-30215 is an improper access control vulnerability in NATS-Server's JetStream management system. It allows any user with JetStream management permissions in any account to perform administrative actions on JetStream assets in other accounts, including data destruction operations. This affects NATS-Server versions 2.2.0 through 2.10.26 and 2.11.0.
💻 Affected Systems
- NATS-Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious actor with JetStream permissions in any account could destroy all JetStream data across all accounts in the NATS cluster, causing complete data loss and service disruption.
Likely Case
Accidental or intentional cross-account data manipulation or destruction by authorized users with JetStream permissions, leading to data corruption or loss in other accounts.
If Mitigated
Limited to authorized users with JetStream permissions, but still allows unauthorized cross-account operations within the same NATS deployment.
🎯 Exploit Status
Exploitation requires JetStream management permissions in any account. The vulnerability is in the API access controls, making exploitation straightforward for authorized users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.10.27 or 2.11.1
Vendor Advisory: https://advisories.nats.io/CVE/secnote-2025-01.txt
Restart Required: Yes
Instructions:
1. Download NATS-Server v2.10.27 or v2.11.1 from official sources. 2. Stop the NATS-Server service. 3. Replace the binary with the patched version. 4. Restart the NATS-Server service. 5. Verify the version is updated.
🔧 Temporary Workarounds
Restrict JetStream Management Permissions
allTemporarily limit JetStream management permissions to only essential users until patching can be completed.
# Review and update NATS account configurations to restrict JS management permissions
# Example: Modify account configurations to remove JS management from non-essential users
Isolate Accounts
allDeploy separate NATS instances for different accounts to prevent cross-account access.
# Deploy separate NATS-Server instances for different account groups
# Configure each instance with only the necessary accounts
🧯 If You Can't Patch
- Implement strict network segmentation between accounts using firewalls or network policies
- Enable comprehensive audit logging for all JetStream API calls and monitor for unauthorized cross-account operations
🔍 How to Verify
Check if Vulnerable:
Check NATS-Server version using 'nats-server --version'. If version is between 2.2.0-2.10.26 or exactly 2.11.0, and JetStream is enabled with multiple accounts, the system is vulnerable.Check Version:
nats-server --versionVerify Fix Applied:
After patching, verify version is 2.10.27 or 2.11.1 using 'nats-server --version'. Test that users with JetStream permissions in one account cannot modify assets in other accounts.📡 Detection & Monitoring
Log Indicators:
- Unusual cross-account JetStream API calls
- JetStream asset deletion or modification from unexpected accounts
- Failed access control checks in system logs
Network Indicators:
- Unusual patterns of requests to $JS. subject namespace from non-system accounts
- Cross-account JetStream management traffic
SIEM Query:
source="nats-server" AND (message="$JS.*" OR message="JetStream") AND (account!="system")