Volerion logoVolerion
Volerion logoVolerion

NATS-Server Leafnode Spoofing Vulnerability in Nats-Request-Info Header

Vulnerability

A vulnerability exists in NATS-Server versions prior to 2.11.15 and 2.12.6, allowing for spoofing of identity information in the Nats-Request-Info message header. This header is intended to facilitate account or user identification, enabling NATS clients to make trust decisions about messages based on their confidence in the nats-server as a broker. However, leafnodes connecting to a nats-server are not fully trusted unless the system account is also bridged, leading to unchecked propagation of identity claims. While this vulnerability does not directly impact the nats-server itself, it could affect how clients interpret the Nats-Request-Info header, with potential implications for message trustworthiness.

Impact

Exploitation of this vulnerability could lead to unauthorized manipulation of identity information, allowing clients to be misled about the trustworthiness of messages based on the spoofed Nats-Request-Info header.

Remediation

Users can upgrade to NATS-Server versions 2.12.6 or 2.11.15 to address this vulnerability.

Added: Mar 25, 2026, 10:25 PM
Updated: Mar 25, 2026, 10:25 PM

Vulnerability Rating

Custom Algorithm
spread
6.2
impact
0.8
exploitability
6.2
remediation
7.7
relevance
4.7
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.