7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-28466

GHSA ID

GHSA-m4jx-6526-vvhm

EPSS Score

0.91879%

CWE

CWE-400

Published

2/15/2022

Updated

10/2/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-28466

CVE-2020-28466: Denial of service in github.com/nats-io/nats-server/server

This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers - Running a NATS service which is exposed to untrusted users presents a heightened risk. Any remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers. Fixes for denial of service issues with no threat of remote execution, when limited to account holders, are likely to just be committed to the main development branch with no special attention. Those who are running such services are encouraged to build regularly from git.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-28466

GHSA ID

GHSA-m4jx-6526-vvhm

EPSS Score

0.91879%

CWE

CWE-400

Published

2/15/2022

Updated

10/2/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/nats-io/nats-server	go	< 2.2.0	2.2.0
github.com/nats-io/nats-server/v2	go	< 2.2.0	2.2.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing cycle detection in service import/export logic. The GitHub commit 2e3c226 shows the fix involved adding cycle checks in AddServiceImportWithClaim via importFormsCycle(). The vulnerable versions lacked these checks, allowing malicious accounts to create infinite routing loops through reciprocal service imports/exports. The primary vulnerable entry point is AddServiceImportWithClaim, which handled untrusted input without cycle validation. The medium confidence for addServiceImport reflects its role in the import process, though the exact pre-patch implementation details aren't fully visible in provided diffs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts *ll v*rsions o* p**k*** *it*u*.*om/n*ts-io/n*ts-s*rv*r/s*rv*r. Untrust** ***ounts *r* **l* to *r*s* t** s*rv*r usin* *on*i*s t**t r*pr*s*nt * s*rvi** *xport/import *y*l*s. *is*l*im*r *rom t** m*int*in*rs - Runnin* * N*TS s*rvi** w*i** is

Reasoning

T** vuln*r**ility st*ms *rom missin* *y*l* **t**tion in s*rvi** import/*xport lo*i*. T** *it*u* *ommit ******* s*ows t** *ix involv** ***in* *y*l* ****ks in `***S*rvi**ImportWit**l*im` vi* `import*orms*y*l*()`. T** vuln*r**l* v*rsions l**k** t**s* **

7.5

Basic Information

Concerned about an active attack path?

CVE-2020-28466: Denial of service in github.com/nats-io/nats-server/server

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI