What is CVE-2025-30215?

CVE-2025-30215 is a critical-severity vulnerability in Nats-io Nats-server, classified under Missing Authentication for Critical Function. CVSS score: 9.6/10. Published 2025-04-15.

How severe is CVE-2025-30215?

Critical severity. CVSS v3 base score is 9.6 out of 10.

Auth bypass in Nats-io Nats-server

CVE-2025-30215

NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject…

Vulnerability class: Broken Authentication

EPSS: 0.000 (8.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.6 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H.

Affected products

Nats-io Nats-server — versions >= 2.2.0, < 2.10.27, >= 2.11.0-RC.1, < 2.11.1

Weakness classification (CWE)

References

https://github.com/nats-io/nats-server/security/advisories/GHSA-fhg8-qxh5-7q3w (x_refsource_CONFIRM)
https://advisories.nats.io/CVE/secnote-2025-01.txt (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-30215?: CVE-2025-30215 is a critical-severity vulnerability in Nats-io Nats-server, classified under Missing Authentication for Critical Function. CVSS score: 9.6/10. Published 2025-04-15.
How severe is CVE-2025-30215?: Critical severity. CVSS v3 base score is 9.6 out of 10.