Is github.com/nats-io/nats-server safe to use?

github.com/nats-io/nats-server has 15 known vulnerabilities on the latest version (v1.4.1). DepScope rates its health at 27/100 (critical risk).

What is the latest version of github.com/nats-io/nats-server?

The latest version of github.com/nats-io/nats-server is v1.4.1, released 2019-02-07.

Does github.com/nats-io/nats-server have known vulnerabilities?

Yes. github.com/nats-io/nats-server has 15 known vulnerabilities. See depscope.dev/pkg/go/github.com/nats-io/nats-server for details.

Is github.com/nats-io/nats-server deprecated?

No, github.com/nats-io/nats-server is actively maintained. Latest release: v1.4.1 (2019-02-07).

What are alternatives to github.com/nats-io/nats-server?

DepScope has no curated alternatives for github.com/nats-io/nats-server at this time.

What license does github.com/nats-io/nats-server use?

github.com/nats-io/nats-server is licensed under Apache-2.0.

github.com/nats-io/nats-server

govv1.4.1

High-Performance server for NATS.io, the cloud and edge native messaging system.

License Apache-2.0permissive25 versions216 maintainers0 deps19,695 weekly dl

nats-io/nats-server

/ 100

Health

update required

github.com/nats-io/[email protected] has vulnerabilities — update to latest

Update to >= 2.2.3 to fix known vulnerabilities

Low health score (27/100)
5 high severity vulnerabilities

Health breakdown0 – 100

0/25

maintenance

10/20

popularity

0/25

security

12/15

maturity

5/15

community

Vulnerabilities

5 high6 medium4 low

Advisories (15)

Severity	ID	Summary	Fixed in
medium	BIT-nats-2026-33248	NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching	2.12.6
high	BIT-nats-2026-29785	NATS Server panic via malicious compression on leafnode port	2.12.5
medium	BIT-nats-2026-33246	NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers	2.12.6
medium	BIT-nats-2026-33219	NATS is vulnerable to pre-auth DoS through WebSockets client service	2.12.6
medium	BIT-nats-2026-33222	NATS JetStream has an authorization bypass through its Management API	2.12.6
high	BIT-nats-2026-33217	NATS allows MQTT clients to bypass ACL checks	2.12.6
high	BIT-nats-2020-28466	Denial of service in github.com/nats-io/nats-server/server	2.2.0
medium	BIT-nats-2026-33223	NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing	2.12.6
medium	BIT-nats-2026-27571	nats-server websockets are vulnerable to pre-auth memory DoS	2.12.3
high	BIT-nats-2026-33216	NATS has MQTT plaintext password disclosure	2.12.6
high	BIT-nats-2026-33218	NATS has pre-auth server panic via leafnode handling	2.12.6
unknown	GHSA-gwj5-3vfq-q992	Import loops in account imports, nats-server DoS in github.com/nats-io/nats-server	2.2.0
unknown	CVE-2019-13126	Integer Overflow or Wraparound in NATS Server in github.com/nats-io/nats-server	2.2.0
unknown	BIT-nats-2020-28466	Denial of service in github.com/nats-io/nats-server/server in github.com/nats-io/nats-server	2.2.0
unknown	CVE-2021-32026	NATS server TLS missing ciphersuite settings when CLI flags used in github.com/nats-io/nats-server	2.2.3

Health History

Dependency Tree

License Audit

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/go/github.com/nats-io/nats-server

Last updated · 2019-02-07T23:30:30Z

Severity

Summary

Fixed in

medium

BIT-nats-2026-33248

NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching

2.12.6

high

BIT-nats-2026-29785

NATS Server panic via malicious compression on leafnode port

2.12.5

medium

BIT-nats-2026-33246

NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers

2.12.6

medium

BIT-nats-2026-33219

NATS is vulnerable to pre-auth DoS through WebSockets client service

2.12.6

medium

BIT-nats-2026-33222

NATS JetStream has an authorization bypass through its Management API

2.12.6

high

BIT-nats-2026-33217

NATS allows MQTT clients to bypass ACL checks

2.12.6

high

BIT-nats-2020-28466

Denial of service in github.com/nats-io/nats-server/server

2.2.0

medium

BIT-nats-2026-33223

NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing

2.12.6

medium

BIT-nats-2026-27571

nats-server websockets are vulnerable to pre-auth memory DoS

2.12.3

high

BIT-nats-2026-33216

NATS has MQTT plaintext password disclosure

2.12.6

high

BIT-nats-2026-33218

NATS has pre-auth server panic via leafnode handling

2.12.6

unknown

GHSA-gwj5-3vfq-q992

Import loops in account imports, nats-server DoS in github.com/nats-io/nats-server

2.2.0

unknown

CVE-2019-13126

Integer Overflow or Wraparound in NATS Server in github.com/nats-io/nats-server

2.2.0

unknown

BIT-nats-2020-28466

Denial of service in github.com/nats-io/nats-server/server in github.com/nats-io/nats-server

2.2.0

unknown

CVE-2021-32026

NATS server TLS missing ciphersuite settings when CLI flags used in github.com/nats-io/nats-server

2.2.3