CVE-2026-27571 — Improper Handling of Highly Compressed Data (Data Amplification) in Nats-server
Severity
7.5HIGHNVD
NVD5.3
EPSS
0.0%
top 91.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedFeb 24
Latest updateMar 25
Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation bound the memory size of a NATS message but did not independently bound the memory consumption of the memory stream when constructing a NATS message which might then fail validation for size reasons. An attacker can use a compression bo…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages8 packages
Patches
🔴Vulnerability Details
7OSV▶
nats-server websockets are vulnerable to pre-auth memory DoS in github.com/nats-io/nats-server↗2026-02-25
📋Vendor Advisories
5Red Hat▶
github.com/nats-io/nats-server: NATS-Server: Denial of Service via unbounded memory use in WebSockets↗2026-03-25
Debian▶
CVE-2026-27571: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...↗2026
Debian▶
CVE-2026-33219: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...↗2026