nats-server Verification

Function: mqttParseConnect · Z3 solved in 0.2ms

CVE-2026-33216 class: authentication secrets (password/token) must not be copied into JWT-designated option fields before JWT validation. This catches sibling variants where non-JWT secret material is mislabeled as JWT and exposed through monitoring/introspection paths.

; benchmark generated from python API
(set-info :status unknown)
(declare-fun secret_promoted_to_jwt () Int)
(assert
 (<= secret_promoted_to_jwt 0))
(assert
 (>= secret_promoted_to_jwt 0))
(assert
 (= secret_promoted_to_jwt 1))
(check-sat)

Function: jsStreamRestoreRequest · Z3 solved in 0.1ms

CVE-2026-33222 class: subject-scoped restore permissions must be cryptographically/semantically bound to the payload stream identifier. This catches sibling variants where endpoint authorization is checked on subject path, but payload resource identifiers are not enforced to match, enabling cross-resource restore/overwrite.

; benchmark generated from python API
(set-info :status unknown)
(declare-fun restore_stream_binding_enforced () Int)
(assert
 (<= restore_stream_binding_enforced 1))
(assert
 (>= restore_stream_binding_enforced 1))
(assert
 (and (distinct restore_stream_binding_enforced 1) true))
(check-sat)

Function: checkClientTLSCertSubject · Z3 solved in 0.0ms

CVE-2026-33248 class: Subject-DN-derived identities in mTLS verify_and_map must be resolved from structured DN parsing and exact/structured DN comparison, not brittle string-only Subject handling. This catches sibling variants where unusual RDN layouts can bypass principal mapping.

; benchmark generated from python API
(set-info :status unknown)
(declare-fun mtls_dn_structured_match_enforced () Int)
(assert
 (<= mtls_dn_structured_match_enforced 1))
(assert
 (>= mtls_dn_structured_match_enforced 1))
(assert
 (and (distinct mtls_dn_structured_match_enforced 1) true))
(check-sat)