GHSA-wvc4-j7g5-4f79: NATS TLS certificate common name validation bypass

March 27, 2023

The NATS official Rust clients are vulnerable to MitM when using TLS.

A fix for the nats crate hasn’t been released yet. Since the nats crate is going to be deprecated anyway, consider switching to async-nats >= 0.29 which already fixed this vulnerability.

The common name of the server’s TLS certificate is validated against the hostname provided by the server’s plaintext INFO message during the initial connection setup phase. A MitM proxy can tamper with the host field’s value by substituting it with the common name of a valid certificate it controls, fooling the client into accepting it.

References

github.com/advisories/GHSA-wvc4-j7g5-4f79
github.com/nats-io/nats.rs
github.com/nats-io/nats.rs/commit/9bacb86a480803ece9d1a45aa443081cf1eb815c
github.com/nats-io/nats.rs/pull/881
github.com/nats-io/nats.rs/pull/887
rustsec.org/advisories/RUSTSEC-2023-0029.html

Detect and mitigate GHSA-wvc4-j7g5-4f79 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →