CVE-2022-26652 in nats-server
Summary
by MITRE • 03/10/2022
NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/30/2026
The vulnerability identified as CVE-2022-26652 represents a critical directory traversal flaw affecting NATS streaming servers including nats-server versions prior to 2.7.4 and nats-streaming-server versions prior to 0.24.3. This vulnerability specifically manifests when processing ZIP archives containing JetStream streams, creating a path traversal condition that allows attackers with write access to manipulate file system operations beyond intended boundaries. The flaw resides in how the system handles file paths within compressed archives, particularly when these archives are used to configure or manage JetStream stream data.
The technical implementation of this vulnerability stems from inadequate input validation and path sanitization within the NATS server's archive processing routines. When a ZIP archive is uploaded or processed for JetStream stream configuration, the system fails to properly validate or sanitize file paths contained within the archive structure. Attackers can exploit this by crafting malicious ZIP files containing path traversal sequences such as ../ or ..\ that would allow them to write files to arbitrary locations on the server filesystem. This creates a significant privilege escalation vector where an attacker with write access to the streaming server can leverage the vulnerability to execute arbitrary file system operations.
The operational impact of CVE-2022-26652 extends beyond simple file system manipulation, potentially enabling complete system compromise when combined with other attack vectors. An attacker could use this vulnerability to overwrite critical system files, install backdoors, or escalate privileges to gain administrative control over the NATS server instance. The vulnerability affects organizations using NATS streaming solutions for mission-critical applications, particularly in environments where JetStream streams are used for data persistence and message queuing. The exposure is particularly concerning in cloud environments where NATS servers may be exposed to untrusted users or where automated deployment processes might process user-uploaded ZIP archives.
This vulnerability aligns with CWE-22 Directory Traversal and maps to ATT&CK technique T1059 Command and Scripting Interpreter, specifically targeting the execution of commands through file system manipulation. Organizations implementing NATS streaming solutions should prioritize immediate patching of affected versions to prevent exploitation. Mitigation strategies include implementing strict input validation for all archive processing operations, restricting write access to sensitive directories, and deploying network segmentation to limit exposure of NATS streaming servers to untrusted networks. Additionally, organizations should consider implementing automated security scanning of all ZIP archives processed by NATS servers and establish monitoring for unusual file system operations that might indicate exploitation attempts. The vulnerability highlights the importance of proper path validation in archive processing systems and demonstrates how seemingly benign functionality can become a critical security risk when proper input sanitization is omitted.