Impact
The flaw allows an authenticated client to receive messages on subjects that should be denied. Overlap between a wildcard subscription and a deny rule that is not a subset of the rule permits delivery to restricted subjects, and queue subscriptions can similarly be affected, enabling delivery of messages to legitimate queue consumers that should not be exposed.
Affected Systems
This concerns the NATS Server product from nats-io. Versions prior to 2.14.0, 2.12.7, and 2.11.16 are vulnerable. Up‑to‑date releases include 2.14.0 and newer, 2.12.7 and newer, or 2.11.16 and newer, depending on the branch.
Risk and Exploitability
The CVSS score of 6.5 indicates moderate severity. The EPSS score is not listed, so the exploitation likelihood is unknown. The vulnerability is not in the KEV catalog. The likely attack vector involves an authenticated client creating a subscription that overlaps with a deny rule; this is inferred from the description. If an attacker can authenticate, they may bypass subject restrictions.
OpenCVE Enrichment