Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 29 Sep 2020 18:48:30 -0400
From: Phil Pennock <>
Subject: [CVE-2020-26149] NATS project vulnerabilities: nats.js, (,

CVE: CVE-2020-26149

Background: is a high performance open source pub-sub distributed communication
technology, built for the cloud, on-premise, IoT, and edge computing.
The server is written in Go and there are client libraries in many languages
and frameworks.

Problem Description:

Preview versions of two NPM packages and one Deno package from the NATS
project contain an information disclosure flaw, leaking options to the
NATS server; for one package, this includes TLS private credentials.

The _connection_ configuration options in these JavaScript-based
implementations were fully serialized and sent to the server in the
client's CONNECT message, immediately after TLS establishment.

The nats.js client supports Mutual TLS and the credentials for the TLS
client key are included in the connection configuration options;
disclosure of the client's TLS private key to the server has been

Most authentication mechanisms are handled after connection, instead of
as part of connection, so other authentication mechanisms are
For clarity: NATS account NKey authentication is NOT affected.

Neither the nor the nats.deno clients support Mutual TLS: the
affected versions listed below are those where the logic flaw is
present.  We are including the and nats.deno versions out of an
abundance of caution, as library maintainers, but rate as minimal the
likelihood of applications leaking sensitive data.

Affected versions:

Security impact:

* NPM package nats.js:
  + mainline is unaffected
  + beta branch is vulnerable from 2.0.0-201, fixed in 2.0.0-209

Logic flaw:

* NPM package
  + status: preview
  + flawed from 1.0.0-85, fixed in 1.0.0-111
* Deno repository
  + status: preview
  + flawed in all git tags prior to fix
  + fixed with git tag v1.0.0-9


For deployments using TLS client certificates (for mutual TLS), private
key material for TLS is leaked from the client application to the
server.  If the server is untrusted (run by a third party), or if the
client application also disables TLS verification (and so the true
identity of the server is unverifiable) then authentication credentials
are leaked.




Upgrade your package dependencies to fixed versions, and then reissue
any TLS client credentials (with new keys, not just new certificates)
and revoke the old ones.


Personal addenda:

If anyone has any more questions which aren't for oss-security, then our
Slack tends to be pretty helpful, will arrange an
invite link for you if needed, or connect you through.  If you want to
stick to email, I can be reached at <>, and there's a PGP key
for that address in WKD if it really needs to be private.

Really, no official releases included this mistake, but we know some
developers have done `npm install nats@...a` and that's why we're
issuing an advisory.  We've marked the bad NPM versions as deprecated
and have a ticket in with NPMJS to get them marked vulnerable too.


Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.