Impact
The vulnerability allows a leafnode operator to send trace events to subjects that the server normally denies, and to use trace‑only behavior to suppress normal message delivery or storage. This bypass of the Nats-Trace-Dest permission check can enable an attacker to manipulate message flow, hide data exchanges, or force messages to be discarded without detection. The flaw originates from an authorization oversight identified as CWE‑863, whereby leafnode connections are not subject to the same permission enforcement as ordinary client connections.
Affected Systems
The issue affects deployments of the NATS Server from nats‑io, versions prior to 2.12.8 and prior to 2.14.3. All releases before 2.12.8 and 2.14.3 are impacted; upgrading to either revision or a newer version removes the flaw.
Risk and Exploitability
The CVSS score of 5.3 indicates a moderate severity. The EPSS score is less than 1%, indicating a low probability of exploitation. The vulnerability has not been listed in the CISA KEV catalog. The likely attack vector is a malicious or compromised leafnode operator that has been granted connectivity to the server; the operator can inject trace events to unauthorized subjects or suppress normal traffic. Once such a connection is established, an attacker can perform the exploit without additional prerequisites; the weakness is local to the leafnode link, so remote exploitation requires the ability to become a leafnode.
OpenCVE Enrichment