Use of Hard-coded Cryptographic Key Affecting golang-github-nats-io-nkeys package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-UBUNTU2004-GOLANGGITHUBNATSIONKEYS-6039686
- published25 Jun 2025
- disclosed31 Oct 2023
Introduced: 31 Oct 2023
CVE-2023-46129 (opens in a new tab)How to fix?
There is no fixed version for Ubuntu:20.04 golang-github-nats-io-nkeys.
NVD Description
Note: Versions mentioned in the description apply only to the upstream golang-github-nats-io-nkeys package and not the golang-github-nats-io-nkeys package as distributed by Ubuntu.
See How to fix? for Ubuntu:20.04 relevant fixed versions and status.
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts. In nkeys versions 0.4.0 through 0.4.5, corresponding with NATS server versions 2.10.0 through 2.10.3, the nkeys library's xkeys encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was actually to an all-zeros key. This affects encryption only, not signing.
FIXME: FILL IN IMPACT ON NATS-SERVER AUTH CALLOUT SECURITY. nkeys Go library 0.4.6, corresponding with NATS Server 2.10.4, has a patch for this issue. No known workarounds are available. For any application handling auth callouts in Go, if using the nkeys library, update the dependency, recompile and deploy that in lockstep.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-46129
- http://www.openwall.com/lists/oss-security/2023/10/31/1
- https://github.com/nats-io/nkeys/security/advisories/GHSA-mr45-rx8q-wcm9
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/