7.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-gwj5-3vfq-q992

EPSS Score

CWE

CWE-400

Published

5/21/2021

Updated

1/9/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-gwj5-3vfq-q992

GHSA-gwj5-3vfq-q992: Import loops in account imports, nats-server DoS

(This advisory is canonically https://advisories.nats.io/CVE/CVE-2020-28466.txt)

Problem Description

An export/import cycle between accounts could crash the nats-server, after consuming CPU and memory.

This issue was fixed publicly in https://github.com/nats-io/nats-server/pull/1731 in November 2020.

The need to call this out as a security issue was highlighted by snyk.io and we are grateful for their assistance in doing so.

Organizations which run a NATS service providing access to accounts run by untrusted third parties are affected. See below for an important caveat if running such a service.

Affected versions

NATS Server

Version 2 prior to 2.2.0
- 2.0.0 through and including 2.1.9 are vulnerable.
fixed with nats-io/nats-server PR 1731, commit 2e3c226729

Impact

The nats-server could be killed, after consuming resources.

Workaround

The import cycle requires at least two accounts to work; if you have open account sign-up, then restricting new account sign-up might hinder an attacker.

Solution

Upgrade the nats-server.

Caveat on NATS with untrusted users

Running a NATS service which is exposed to untrusted users presents a heightened risk.

Any remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers.

Fixes for denial of service issues with no threat of remote execution, when limited to account holders, are likely to just be committed to the main development branch with no special attention.

Those who are running such services are encouraged to build regularly from git.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-gwj5-3vfq-q992

EPSS Score

CWE

CWE-400

Published

5/21/2021

Updated

1/9/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/nats-io/nats-server/v2	go	< 2.2.0	2.2.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The core vulnerability existed in the service import logic where cyclic dependencies between accounts weren't detected. The key function AddServiceImportWithClaim was modified to add cycle checking (via importFormsCycle), proving it was previously vulnerable. This function directly handles import creation and would appear in profilers when attackers attempt to establish cyclic imports. The added error ErrServiceImportFormsCycle and new helper functions (serviceExportOverlaps, serviceImportOverlaps) in the patch further confirm the missing pre-validation was the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

(T*is **visory is **noni**lly <*ttps://**visori*s.n*ts.io/*V*/*V*-****-*****.txt>) ## Pro*l*m **s*ription *n *xport/import *y*l* **tw**n ***ounts *oul* *r*s* t** n*ts-s*rv*r, **t*r *onsumin* *PU *n* m*mory. T*is issu* w*s *ix** pu*li*ly in <*ttps:

Reasoning

T** *or* vuln*r**ility *xist** in t** s*rvi** import lo*i* w**r* *y*li* **p*n**n*i*s **tw**n ***ounts w*r*n't **t**t**. T** k*y *un*tion `***S*rvi**ImportWit**l*im` w*s mo*i*i** to *** *y*l* ****kin* (vi* `import*orms*y*l*`), provin* it w*s pr*viousl

7.5

Basic Information

Concerned about an active attack path?

GHSA-gwj5-3vfq-q992: Import loops in account imports, nats-server DoS

Problem Description

Affected versions

NATS Server

Impact

Workaround

Solution

Caveat on NATS with untrusted users

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI