Miggo Logo

CVE-2020-28466: Denial of service in github.com/nats-io/nats-server/server

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.91879%
Published
2/15/2022
Updated
10/2/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/nats-io/nats-servergo< 2.2.02.2.0
github.com/nats-io/nats-server/v2go< 2.2.02.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing cycle detection in service import/export logic. The GitHub commit 2e3c226 shows the fix involved adding cycle checks in AddServiceImportWithClaim via importFormsCycle(). The vulnerable versions lacked these checks, allowing malicious accounts to create infinite routing loops through reciprocal service imports/exports. The primary vulnerable entry point is AddServiceImportWithClaim, which handled untrusted input without cycle validation. The medium confidence for addServiceImport reflects its role in the import process, though the exact pre-patch implementation details aren't fully visible in provided diffs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts *ll v*rsions o* p**k*** *it*u*.*om/n*ts-io/n*ts-s*rv*r/s*rv*r. Untrust** ***ounts *r* **l* to *r*s* t** s*rv*r usin* *on*i*s t**t r*pr*s*nt * s*rvi** *xport/import *y*l*s. *is*l*im*r *rom t** m*int*in*rs - Runnin* * N*TS s*rvi** w*i** is

Reasoning

T** vuln*r**ility st*ms *rom missin* *y*l* **t**tion in s*rvi** import/*xport lo*i*. T** *it*u* *ommit ******* s*ows t** *ix involv** ***in* *y*l* ****ks in `***S*rvi**ImportWit**l*im` vi* `import*orms*y*l*()`. T** vuln*r**l* v*rsions l**k** t**s* **