Impact
The vulnerability permits an MQTT client to include protocol control characters in subscription filters, which the NATS server forwards to leaf or route connections as legitimate NATS protocol data. This corrupts the forwarded stream and allows injection of unintended NATS protocol operations, effectively creating a command injection flaw (CWE‑74) that can alter cluster behavior, exfiltrate data, or potentially compromise the system's integrity.
Affected Systems
NATS Server 2.12.x and 2.14.x series prior to releases 2.12.9 and 2.14.1 are affected. Any deployment of nats-io:nats-server on these versions that accepts MQTT connections from external clients is vulnerable.
Risk and Exploitability
The CVSS score of 7.1 reflects a moderate‑to‑high risk. EPSS is not available and the issue is not listed in CISA KEV. The most likely attack vector is a malicious MQTT client that can send crafted subscription requests to the vulnerable server. Because the exploitation requires only network access to the MQTT port and does not need privileged credentials, the potential impact is significant for organizations that expose MQTT traffic to untrusted networks.
OpenCVE Enrichment