### Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server offers a `Nats-Request-Info:` message header, providing information about a request. ### Problem Description The NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective. An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header. ### Affected Versions Any version before v2.12.6 or v2.11.15 ### Workarounds None.
| Vendor | Product | Versions |
|---|---|---|
| go | github.com/nats-io/nats-server/v2 | go/github.com/nats-io/nats-server/v2: < 2.11.15, go/github.com/nats-io/nats-server/v2: >= 2.12.0-RC.1, < 2.12.6, go/github.com/nats-io/nats-server/v2: <= 2.11.14, go/github.com/nats-io/nats-server/v2: <= 2.12.5 |
Updated affected versions to include up to 2.11.14 and 2.12.5, changed severity to CRITICAL, and noted that the vulnerability is actively exploited.
Initial creation
