{"id":"GO-2025-3600","summary":"Missing ACLs on JavaScript APIs allowing privilege escalation github.com/nats-io/nats-server","details":"Missing","aliases":["BIT-nats-2025-30215","CVE-2025-30215","GHSA-fhg8-qxh5-7q3w"],"modified":"2026-03-17T04:49:37.811503Z","published":"2025-04-22T15:29:23Z","related":["CGA-pr58-vgg3-mfcc"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2025-3600","review_status":"REVIEWED"},"references":[{"type":"ADVISORY","url":"https://github.com/nats-io/nats-server/security/advisories/GHSA-fhg8-qxh5-7q3w"},{"type":"WEB","url":"https://advisories.nats.io/CVE/secnote-2025-01.txt"},{"type":"FIX","url":"https://github.com/nats-io/nats-server/commit/3e7e4645a24e829a36b4210f2d7c34dea7f7a424"}],"affected":[{"package":{"name":"github.com/nats-io/nats-server/v2","ecosystem":"Go","purl":"pkg:golang/github.com/nats-io/nats-server/v2"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.2.0"},{"fixed":"2.10.27"},{"introduced":"2.11.0"},{"fixed":"2.11.1"}]}],"ecosystem_specific":{"imports":[{"symbols":["Account.AddServiceImport","Account.AddServiceImportWithClaim","Account.DisableJetStream","Account.EnableJetStream","Account.RestoreStream","Account.TrackServiceExport","Account.TrackServiceExportWithSampling","Account.UnTrackServiceExport","CacheDirAccResolver.Reload","CacheDirAccResolver.Start","ConfigureOptions","DirAccResolver.Fetch","DirAccResolver.Reload","DirAccResolver.Start","DirAccResolver.Store","DirJWTStore.Merge","DirJWTStore.Pack","DirJWTStore.PackWalk","DirJWTStore.Reload","DirJWTStore.SaveAcc","DirJWTStore.SaveAct","New","NewCacheDirAccResolver","NewDirAccResolver","NewExpiringDirJWTStore","NewServer","Options.ProcessConfigFile","ProcessConfigFile","Run","Server.AcceptLoop","Server.AccountStatz","Server.Accountz","Server.ActivePeers","Server.Connz","Server.DisableJetStream","Server.DisconnectClientByID","Server.EnableJetStream","Server.Gatewayz","Server.HandleAccountStatz","Server.HandleAccountz","Server.HandleConnz","Server.HandleGatewayz","Server.HandleHealthz","Server.HandleIPQueuesz","Server.HandleSubsz","Server.HandleVarz","Server.InProcessConn","Server.Ipqueuesz","Server.JetStreamEnabledForDomain","Server.JetStreamIsStreamAssigned","Server.JetStreamIsStreamCurrent","Server.JetStreamSnapshotMeta","Server.JetStreamSnapshotStream","Server.JetStreamStepdownConsumer","Server.JetStreamStepdownStream","Server.LameDuckShutdown","Server.LookupAccount","Server.LookupOrRegisterAccount","Server.NumLoadedAccounts","Server.NumSubscriptions","Server.RegisterAccount","Server.Reload","Server.ReloadOptions","Server.SetDefaultSystemAccount","Server.SetSystemAccount","Server.Shutdown","Server.Start","Server.StartHTTPMonitoring","Server.StartHTTPSMonitoring","Server.StartMonitoring","Server.StartProfiler","Server.StartRouting","Server.Subsz","Server.UpdateAccountClaims","Server.Varz","client.RegisterNkeyUser","client.RegisterUser","clusterOption.Apply","leafNodeOption.Apply","maxConnOption.Apply","mqttMaxAckPendingReload.Apply","raft.AdjustClusterSize","raft.InstallSnapshot","raft.PauseApply","raft.ProposeKnownPeers","raft.ProposeRemovePeer","raft.ResumeApply","raft.SendSnapshot","raft.StepDown","raft.UpdateKnownPeers","routesOption.Apply"],"path":"github.com/nats-io/nats-server/v2/server"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2025-3600.json"}}],"schema_version":"1.7.5","credits":[{"name":"Thomas Morgan"}]}