Primary

Context

NATS-Server Command-Line Credential Exposure Vulnerability

Vulnerability

Patched

A vulnerability exists in NATS-Server versions prior to 2.11.15 and 2.12.6, where static credentials provided via command-line arguments are exposed to users who can access the monitoring port. The '/debug/vars' endpoint reveals an unredacted copy of the command-line arguments, including sensitive credentials, if the monitoring port is enabled.

Impact

Exposing static credentials via the monitoring port can lead to unauthorized access or actions on behalf of the credentialed user.

Remediation

Users can upgrade to NATS-Server versions 2.12.6 or 2.11.15. As a workaround, configure credentials in a configuration file instead of via command-line arguments, and avoid enabling the monitoring port if secrets are included in the arguments. It is also recommended not to expose the monitoring port to the Internet or untrusted networks.

Added: Mar 25, 2026, 10:24 PM

Updated: Mar 25, 2026, 10:24 PM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

2.5

exploitability

8.1

remediation

8.3

relevance

4.7

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

2.5

exploitability

8.1

remediation

8.3

relevance

4.7

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

NATS-Server Command-Line Credential Exposure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

NATS-Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating