A security vulnerability has been discovered in NATS Server, a communications system for digital systems, services, and devices. The vulnerability, identified as CVE-2025-30215, involves missing access controls for the JetStream (JS) API.
The advisory explains that the management of JetStream assets occurs through messages in the $JS. subject namespace within the system account. While some of this is exposed to regular accounts, βSome of the JS API requests were missing access controls.β
This lack of access control allows a user with JS management permissions in any account to perform certain administrative actions on any JS asset in any other account. The advisory emphasizes the severity of this issue, stating, βAt least one of the unprotected APIs allows for data destruction.β However, it also clarifies that βNone of the affected APIs allow disclosing stream contents.β
he affected versions of NATS Server are: Version 2 from v2.2.0 onwards, prior to v2.11.1 or v2.10.27.
The solution to this vulnerability is to upgrade to NATS Server version 2.11.1 or 2.10.27, where the issue has been fixed.