CVE-2020-28466

Name: CVE-2020-28466
Creator: NVD / NIST
Published: 2021-03-07T10:15:12.957+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 3.66%

Last modified Jun 17, 2026

CVE-2020-28466 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. EPSS estimates a 3.66% chance of exploitation in the next 30 days.

Description

This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened risk. Any remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers. Fixes for denial of service issues with no threat of remote execution, when limited to account holders, are likely to just be committed to the main development branch with no special attention. Those who are running such services are encouraged to build regularly from git.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

3.66%

88.2th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

Vendor	Product	Versions
Linuxfoundation	Nats-Server	>= 2.0.0, < 2.2.0

References

http://www.openwall.com/lists/oss-security/2021/03/16/1Mailing List
http://www.openwall.com/lists/oss-security/2021/03/16/2Mailing List, Third Party Advisory
https://github.com/nats-io/nats-server/pull/1731Patch, Third Party Advisory
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMNATSIONATSSERVERSERVER-1042967Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/03/16/1Mailing List
http://www.openwall.com/lists/oss-security/2021/03/16/2Mailing List, Third Party Advisory
https://github.com/nats-io/nats-server/pull/1731Patch, Third Party Advisory
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMNATSIONATSSERVERSERVER-1042967Third Party Advisory

Timeline

Published: Mar 7, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-28466?

How severe is CVE-2020-28466?

CVE-2020-28466 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 3.66% probability of exploitation in the next 30 days.

How do I fix CVE-2020-28466?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-28466?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST