CVE-2025-30215: 
CBL Mariner vulnerability analysis and mitigation

NATS-Server, a High-Performance server for NATS.io cloud and edge native messaging system, was found to contain missing access controls in versions from 2.2.0 up to versions prior to 2.10.27 and 2.11.1. The vulnerability was discovered on March 5, 2025, and publicly disclosed on April 15, 2025. The issue affects the management of JetStream assets that occurs in the $JS subject namespace within the system account (NATS Advisory, GitHub Advisory).

The vulnerability stems from missing access controls in JS API requests within the system account's $JS subject namespace. This namespace is partially exposed to regular accounts for asset management purposes. The issue received a CVSS v3.1 base score of 9.6 (Critical) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H. The vulnerability is classified under CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function) (GitHub Advisory).

The vulnerability allows any user with JS management permissions in any account to perform unauthorized administrative actions on JS assets across any other account. At least one of the unprotected APIs enables data destruction capabilities. While the vulnerability does not permit the disclosure of stream contents, it poses significant risks to data integrity and system availability (NATS Advisory).

The vulnerability has been fixed in NATS-Server versions 2.11.1 and 2.10.27. No workarounds are available, and users are strongly advised to upgrade to the patched versions. The fix implements proper authorization checks for the affected JetStream admin APIs (NATS Advisory).

The vulnerability was initially reported by Thomas Morgan and was subsequently tracked across multiple security platforms. The issue was discussed in the oss-security mailing list, highlighting its significance in the open-source community (OSS Security).