There are 2 open security issues in buster.
2 issues left for the package maintainer to handle:
The JWT library in NATS nats-server before 2.1.9 allows a denial of service (a nil dereference in Go code).
The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired credentials are handled.
You can find information about how to handle these issues in the security team's documentation.