Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Authenticated MQTT publish gives PR:L; dependence on MQTT plus leaf-node forwarding raises AC:H; injection crosses into the leaf node connection's subject space, so S:C with C:H, I:L.
Primary rating from Vendor (vendor:ubuntu).
CVSS VectorVendor: vendor:ubuntu
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
7DescriptionCVE.org
[Unknown description]
AnalysisAI
Protocol injection in NATS Server MQTT support allows an authenticated MQTT client to smuggle control characters (tab, newline, carriage return, form feed) inside publish and Will topics, which corrupt the NATS wire protocol when the topic is converted to a NATS subject and forwarded across leaf node connections. Fixed in nats-server v2.12.9 and v2.14.1, the flaw (GHSA-qrcv-3558-gj4f, CWE-74) is tagged Information Disclosure and lets a low-privileged publisher influence how messages are framed and routed to other connections. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated MQTT client session (PR:L) with permission to PUBLISH or to set a Will topic, and the server must have the MQTT interface enabled; the demonstrated wire-protocol corruption further requires the affected topic to be forwarded to another connection such as a leaf node, so a leaf node / federated deployment is the concrete condition that makes the injection impactful. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N, base 7.1) marks this network-reachable, low-complexity, requiring low privileges (PR:L = an authenticated MQTT session) with high confidentiality impact and low integrity impact - consistent with subject injection that can expose or misroute messages. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds valid credentials for a NATS MQTT account connects and PUBLISHes to a topic containing carriage-return/line-feed and other control bytes; when the server converts that topic to a NATS subject and forwards it over a leaf node connection, the embedded characters break the wire-protocol framing, allowing the attacker to influence message routing or inject protocol elements that disclose messages destined for other connections. Attack complexity is low at the protocol layer but depends on MQTT and leaf node connectivity being configured; no public POC was provided in the source data. |
| Remediation | Vendor-released patch: upgrade to nats-server v2.12.9 (2.12.x line) or v2.14.1 (2.14.x line), which add mqttValidatePublishTopic to reject framing control characters in MQTT publish and Will topics (see fix commits 366837c, 64ebae4, f14856b and pull requests https://github.com/nats-io/nats-server/pull/8163 and https://github.com/nats-io/nats-server/pull/8164, plus advisory https://github.com/nats-io/nats-server/security/advisories/GHSA-qrcv-3558-gj4f). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all NATS Server deployments, versions, and MQTT/leaf node configurations in your environment. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Nats Server
View allNATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings ar
The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired credentials are han
This affects all versions of package github.com/nats-io/nats-server/server. Rated high severity (CVSS 7.5), this vulnera
NATS nats-server before 2.7.2 has Incorrect Access Control. Rated high severity (CVSS 8.8), this vulnerability is remote
Authentication bypass in NATS Server (nats-io/nats-server) lets an unauthenticated attacker on an adjacent network conne
Remote denial of service in the NATS Server (nats-io/nats-server) leafnode subsystem allows unauthenticated attackers to
Denial of service in NATS Server (nats-server) MQTT handler allows a remote, unauthenticated client to exhaust server me
An integer overflow in NATS Server before 2.0.2 allows a remote attacker to crash the server by sending a crafted reques
Remote denial-of-service in NATS Server (nats-server) affects deployments with the WebSocket listener enabled but MQTT d
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise,
The JWT library in NATS nats-server before 2.1.9 allows a denial of service (a nil dereference in Go code). Rated high s
NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStre
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42383