GHSA-pwx7-fx9r-hr4h

Source

https://github.com/advisories/GHSA-pwx7-fx9r-hr4h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-pwx7-fx9r-hr4h/GHSA-pwx7-fx9r-hr4h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-pwx7-fx9r-hr4h

Aliases

Downstream

MINI-g83h-jhwh-pgfh

Related

CGA-5pw7-h9g6-p4mx

Published

2026-03-24T21:50:05Z

Modified

2026-03-27T22:17:38.378379Z

Severity

6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator

Summary

NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server offers a Nats-Request-Info: message header, providing information about a request.

Problem Description

The NATS message header Nats-Request-Info: is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective.

An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T21:50:05Z",
    "severity": "MODERATE",
    "nvd_published_at": "2026-03-25T21:16:47Z",
    "cwe_ids": [
        "CWE-290"
    ]
}

References

Affected packages

Go / github.com/nats-io/nats-server/v2

Package

Name: github.com/nats-io/nats-server/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/nats-io/nats-server/v2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.15

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-pwx7-fx9r-hr4h/GHSA-pwx7-fx9r-hr4h.json"

Go / github.com/nats-io/nats-server/v2

Package

Name: github.com/nats-io/nats-server/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/nats-io/nats-server/v2

Affected ranges

Type: SEMVER
Events: Introduced

2.12.0-RC.1

Fixed

2.12.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-pwx7-fx9r-hr4h/GHSA-pwx7-fx9r-hr4h.json"

Go / github.com/nats-io/nats-server

Package

Name: github.com/nats-io/nats-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/nats-io/nats-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-pwx7-fx9r-hr4h/GHSA-pwx7-fx9r-hr4h.json"