Platform
go
Component
github.com/nats-io/nats-server/v2
Fixed in
2.2.1
2.11.1
2.11.1
2.10.27
2.10.27
CVE-2025-30215 represents a critical Privilege Escalation vulnerability discovered in NATS Server v2. This flaw allows an attacker to potentially elevate their privileges within the system, leading to unauthorized access and control. The vulnerability impacts versions of NATS Server prior to 2.10.27, and a fix is available in version 2.10.27. Prompt patching is strongly recommended.
Successful exploitation of CVE-2025-30215 could grant an attacker complete control over the NATS Server instance and potentially the underlying host system. This could involve reading sensitive data, modifying configurations, installing malware, or using the server as a launchpad for further attacks within the network. The blast radius extends to any application or service relying on NATS for messaging, as an attacker could intercept or manipulate messages, disrupt operations, or exfiltrate data. While specific attack details remain undisclosed, the 'Privilege Escalation' classification suggests a sophisticated exploitation pathway, potentially bypassing standard access controls.
CVE-2025-30215 was publicly disclosed on April 22, 2025. The vulnerability's severity is classified as CRITICAL (CVSS 9.6). As of this writing, no public proof-of-concept exploits have been released, but the high CVSS score suggests a potential for rapid exploitation. It is advisable to monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns. The vulnerability has not yet been added to the CISA KEV catalog.
Exploit Status
EPSS
0.07% (21% percentile)
CVSS Vector
The primary mitigation for CVE-2025-30215 is to immediately upgrade NATS Server to version 2.10.27 or later. If an immediate upgrade is not feasible due to compatibility constraints or testing requirements, consider implementing temporary workarounds such as restricting network access to the NATS Server instance using firewalls or network segmentation. Review and strengthen authentication and authorization mechanisms to limit the potential impact of a successful privilege escalation. Monitor NATS Server logs for any suspicious activity or unauthorized access attempts.
Update nats-server to version 2.10.27 or higher, or to version 2.11.1 or higher. This corrects the lack of access controls in certain JetStream administration APIs, preventing the execution of unauthorized administrative actions and potential data destruction.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-30215 is a critical vulnerability in NATS Server v2 that allows an attacker to escalate their privileges, potentially gaining full control of the server and underlying system.
You are affected if you are running NATS Server v2 prior to version 2.10.27. Immediate action is required to mitigate this risk.
Upgrade NATS Server to version 2.10.27 or later. If immediate upgrade is not possible, implement temporary workarounds like network segmentation.
While no public exploits are currently available, the high CVSS score suggests a potential for rapid exploitation. Continuous monitoring is recommended.
Refer to the official NATS Server security advisories on the NATS website or GitHub repository for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.