N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-f5v5-ccqc-6w36

GHSA-f5v5-ccqc-6w36: async-nats vulnerable to TLS certificate common name validation bypass

The NATS official Rust clients are vulnerable to MitM when using TLS.

The common name of the server's TLS certificate is validated against the hostname provided by the server's plaintext INFO message during the initial connection setup phase. A MitM proxy can tamper with the host field's value by substituting it with the common name of a valid certificate it controls, fooling the client into accepting it.

Reproduction steps

The NATS Rust client tries to establish a new connection
The connection is intercepted by a MitM proxy
The proxy makes a separate connection to the NATS server
The NATS server replies with an INFO message
The proxy reads the INFO, alters the host JSON field and passes the tampered INFO back to the client
The proxy upgrades the client connection to TLS, presenting a certificate issued by a certificate authority present in the client's keychain. In the previous step the host was set to the common name of said certificate
rustls accepts the certificate, having verified that the common name matches the attacker-controlled value it was given
The client has been fooled by the MitM proxy into accepting the attacker-controlled certificate

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-f5v5-ccqc-6w36

GHSA-f5v5-ccqc-6w36:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
async-nats	rust	< 0.29.0	0.29.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how TLS certificate validation was implemented in the connection setup process. The commit diff shows a critical change in connector.rs where the domain name for certificate validation was previously derived from the server-provided INFO message's 'host' field (info.host) but was later changed to use the original tls_host parameter. The vulnerable code path in versions <0.29.0 trusted the attacker-controllable INFO.host value for TLS CN validation, while the patched version uses the client's intended hostname (tls_host). This matches the vulnerability description of trusting a tamperable plaintext field for security-critical certificate validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-f5v5-ccqc-6w36: async-nats vulnerable to TLS certificate common name validation bypass

Reproduction steps

GHSA-f5v5-ccqc-6w36:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-f5v5-ccqc-6w36: async-nats vulnerable to TLS certificate common name validation bypass

Reproduction steps

N/A

N/A

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI