Vulnerability Database

358,842

Total vulnerabilities in the database

Import loops in account imports, nats-server DoS — github.com/nats-io/nats-server/v2

Uncontrolled Resource Consumption

(This advisory is canonically <https://advisories.nats.io/CVE/CVE-2020-28466.txt>)

Problem Description

An export/import cycle between accounts could crash the nats-server, after consuming CPU and memory.

This issue was fixed publicly in <https://github.com/nats-io/nats-server/pull/1731> in November 2020.

The need to call this out as a security issue was highlighted by snyk.io and we are grateful for their assistance in doing so.

Organizations which run a NATS service providing access to accounts run by untrusted third parties are affected. See below for an important caveat if running such a service.

Affected versions

NATS Server

  • Version 2 prior to 2.2.0
    • 2.0.0 through and including 2.1.9 are vulnerable.
  • fixed with nats-io/nats-server PR 1731, commit 2e3c226729

Impact

The nats-server could be killed, after consuming resources.

Workaround

The import cycle requires at least two accounts to work; if you have open account sign-up, then restricting new account sign-up might hinder an attacker.

Solution

Upgrade the nats-server.

Caveat on NATS with untrusted users

Running a NATS service which is exposed to untrusted users presents a heightened risk.

Any remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers.

Fixes for denial of service issues with no threat of remote execution, when limited to account holders, are likely to just be committed to the main development branch with no special attention.

Those who are running such services are encouraged to build regularly from git.

  • Published: May 21, 2021
  • Updated: Apr 14, 2023
  • GHSA: GHSA-gwj5-3vfq-q992
  • Severity: Low
  • Exploit:
  • CISA KEV:

CVSS v3:

  • Severity: High
  • Score: 7.5
  • AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

Frequently Asked Questions

A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.

CVSS (Common Vulnerability Scoring System) estimates technical severity, but it doesn't automatically equal business risk. Prioritize using context like internet exposure, affected asset criticality, known exploitation (proof-of-concept or in-the-wild), and whether compensating controls exist. A "Medium" CVSS on an exposed, production system can be more urgent than a "Critical" on an isolated, non-production host.

A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. In practice, risk increases sharply when exploitation becomes reliable or widespread.

Recurring findings usually come from incomplete Asset Discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host. Unknown or unmanaged assets (often called Shadow IT) are a common reason the same issues resurface.

Use a simple, repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress using consistent metrics so remediation is steady, not reactive.

SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.