{"id":"GO-2022-0402","summary":"Panic in NATS JWT decoding in github.com/nats-io/jwt","details":"A malicious account can create and sign a User JWT which causes a panic when decoded by the NATS JWT library.","aliases":["CVE-2020-26521","GHSA-h2fg-54x9-5qhq","GHSA-hmm9-r2m2-qg9w"],"modified":"2026-02-04T03:01:19.864397Z","published":"2022-07-01T20:10:43Z","related":["CGA-2v6p-mg24-q4w7"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0402","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://github.com/nats-io/jwt/pull/107"},{"type":"WEB","url":"https://advisories.nats.io/CVE/CVE-2020-26521.txt"}],"affected":[{"package":{"name":"github.com/nats-io/jwt","ecosystem":"Go","purl":"pkg:golang/github.com/nats-io/jwt"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.1.0"}]}],"ecosystem_specific":{"imports":[{"symbols":["Account.Validate","AccountClaims.Validate","Export.Validate","Exports.Validate","Import.Validate","Imports.Validate"],"path":"github.com/nats-io/jwt"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-0402.json"}}],"schema_version":"1.7.3"}