Posted on April 23, 2025 by the Open Source Technology Improvement Fund

OSTIF is proud to share the results of our security audit of NATS.  NATS is an open source project made by Synadia Communications for secure always-on messaging for a variety of digital formats and clients. With the help of Trail of Bits and the Cloud Native Computing Foundation, this project can continue to provide secure adaptive edge and distributed systems of communication. 

Audit Process:

First the audit team at Trail of Bits created a threat model for NATS, which was reviewed and discussed with the Synadia team. During those meetings and preliminary discussions, the Synadia team developed a list of security concerns for this audit including but not limited to: TLS support in inter-component connections, encryption at rest for stream data, and input parsing. After completing the initial threat model, and considering areas of interest disclosed by the Synadia team, the Trail of Bits audit team performed static and dynamic testing of the codebase using automated and manual processes. The manual review focused on aspects like multitenancy, authentication/authorization, and the parser defined in server/parser.go. Using static analysis tools like Semgrep and CodeQL, the audit team followed code paths and triaged the resulting issues. 

Audit Results:

Notably, the issues identified by this audit don’t indicate systemic flaws but one-off mistakes (statistically inevitable in a codebase as large as NATS).  As of publishing, 100% of the reported findings have been resolved or accepted by the project. OSTIF wishes NATS the best on its path towards Graduation through the CNCF Incubating Projects Program. 

Thank you to the individuals and groups that made this engagement possible:

View the Audit Report