CVE-2023-46129 | xkeys Seal encryption used fixed key for all encryption

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts. In nkeys versions 0.4.0 through 0.4.5, corresponding with NATS server versions 2.10.0 through 2.10.3, the nkeys library's `xkeys` encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was actually to an all-zeros key. This affects encryption only, not signing. FIXME: FILL IN IMPACT ON NATS-SERVER AUTH CALLOUT SECURITY. nkeys Go library 0.4.6, corresponding with NATS Server 2.10.4, has a patch for this issue. No known workarounds are available. For any application handling auth callouts in Go, if using the nkeys library, update the dependency, recompile and deploy that in lockstep.

Published: 2023-10-31 Last update: 2026-03-30 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2023-46129 is rated Low Risk (36.4/100): CVSS High severity, with low exploitation likelihood (EPSS 0.05%). Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2023-46129

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2023-11-09 0.04% 0.05% +0.01%
2 2023-10-31 0.04%

Full EPSS history (2 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2023-46129

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.
 3.9 3.6 [email protected]
7.5 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.
 3.9 3.6 [email protected]

Weakness enumeration for CVE-2023-46129

GitHub Security Advisory for CVE-2023-46129

GHSA-mr45-rx8q-wcm9 · Severity: high · Ecosystem: go — xkeys seal encryption used fixed key for all encryption

OS Trackers for CVE-2023-46129

vendor priority summary link
alpine CVE-2023-46129: 1 source package rows (nats-server); 5 state rows across 5 repos (3.19-community, 3.20-community, 3.21-community, 3.22-community, edge-community); fixed 5, open 0. https://security.alpinelinux.org/vuln/CVE-2023-46129
debian unimportant CVE-2023-46129 unimportant priority: Debian including 2 source packages (golang-github-nats-io-nkeys, nats-server), 9 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 9. https://security-tracker.debian.org/tracker/CVE-2023-46129
redhat high https://access.redhat.com/security/cve/CVE-2023-46129
ubuntu medium CVE-2023-46129 medium priority: Ubuntu including 2 source packages (golang-github-nats-io-nkeys, nats-server), 24 status rows across 12 suites (bionic, focal, jammy, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): ignored 10, not-affected 8, DNE 2, needed 2, released 2. https://ubuntu.com/security/CVE-2023-46129

Affected software / configurations for CVE-2023-46129

Vendor Product Version Raw CPE
linuxfoundation nats-server >= 2.10.0, < 2.10.4 cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*
nats nkeys >= 0.4.0, < 0.4.6 cpe:2.3:a:nats:nkeys:*:*:*:*:*:*:*:*

References for CVE-2023-46129

cvelogic Threat Intelligence