Improper Neutralization of Special Elements in Output Used by a Downstream Component in nats-server - #VU135933

 

Improper Neutralization of Special Elements in Output Used by a Downstream Component in nats-server - #VU135933

Published: June 30, 2026


Vulnerability identifier: #VU135933
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-74
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: NATS - The Cloud Native Messaging System
Affected software:
nats-server

Detailed vulnerability description

The vulnerability allows a remote user to inject unintended NATS protocol operations.

The vulnerability exists due to improper neutralization of special elements in MQTT subscription filters forwarded by route and leafnode connections when processing MQTT SUBSCRIBE requests. A remote user can send a specially crafted MQTT subscription filter to inject unintended NATS protocol operations.

Exploitation can affect forwarded protocol streams across cluster nodes or accounts where route, gateway, or leafnode connections are present.


Remediation

Install security update from vendor's website.

Sources