GHSA-wvc4-j7g5-4f79: 
Rust vulnerability analysis and mitigation

The NATS official Rust clients were found to be vulnerable to Man-in-the-Middle (MitM) attacks when using TLS, affecting versions 0.9.0 through 0.24.0 of the nats crate. The vulnerability was discovered and disclosed in March 2023, with a patch released in version 0.24.1. The issue stems from the way the client validates the server's TLS certificate common name against the hostname provided in the server's plaintext INFO message during initial connection setup (GitHub Advisory, RustSec Advisory).

The vulnerability allows a MitM proxy to manipulate the host field value in the server's INFO message by substituting it with the common name of a valid certificate under the attacker's control. This manipulation causes the client to accept the malicious certificate, as rustls verifies that the common name matches the attacker-controlled value. The vulnerability is tracked as GHSA-wvc4-j7g5-4f79 and has been assigned a Moderate severity rating (GitHub Advisory).

When exploited, this vulnerability allows an attacker to perform a Man-in-the-Middle attack against NATS clients using TLS connections. The attacker can intercept and potentially manipulate all communication between the client and server while bypassing the TLS certificate validation mechanisms (RustSec Advisory).

Users are advised to upgrade to nats version 0.24.1 or later which contains the fix for this vulnerability. Alternatively, users can switch to async-nats >= 0.29.0, which has already addressed this security issue. The fix prevents the client from trusting pre-TLS addresses provided by the NATS server (GitHub PR).