CVE-2026-27571
published 2026-02-24CVE-2026-27571: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed…
PriorityP346high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.48%
37.7th percentile
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation bound the memory size of a NATS message but did not independently bound the memory consumption of the memory stream when constructing a NATS message which might then fail validation for size reasons. An attacker can use a compression bomb to cause excessive memory consumption, often resulting in the operating system terminating the server process. The use of compression is negotiated before authentication, so this does not require valid NATS credentials to exploit. The fix, present in versions 2.11.2 and 2.12.3, was to bounds the decompression to fail once the message was too large, instead of continuing on. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nats-server | < nats-server 2.12.4-1 (forky) | nats-server 2.12.4-1 (forky) |
| debian | nats-server | < nats-server 2.12.6-1 (forky) | nats-server 2.12.6-1 (forky) |
| github.com | nats-io_nats-server | 0 – 1.4.1 | — |
| github.com | nats-io_nats-server_v2 | >= 0 < 2.11.12 | 2.11.12 |
| github.com | nats-io_nats-server_v2 | >= 0 < 2.11.15 | 2.11.15 |
| github.com | nats-io_nats-server_v2 | >= 2.12.0-RC.1 < 2.12.3 | 2.12.3 |
| github.com | nats-io_nats-server_v2 | >= 2.12.0-RC.1 < 2.12.6 | 2.12.6 |
| linuxfoundation | nats-server | < 2.11.12 | 2.11.12 |
| linuxfoundation | nats-server | < 2.11.15 | 2.11.15 |
| linuxfoundation | nats-server | >= 0 < 2.12.4-1 | 2.12.4-1 |
| linuxfoundation | nats-server | >= 0 < 2.12.6-1 | 2.12.6-1 |
| linuxfoundation | nats-server | >= 2.12.0 < 2.12.3 | 2.12.3 |
| linuxfoundation | nats-server | >= 2.12.0 < 2.12.6 | 2.12.6 |
| msrc | azl3_telegraf_1.31.0-12_on_azure_linux_3.0 | — | — |
| msrc | cbl2_telegraf_1.29.4-18_on_cbl_mariner_2.0 | — | — |
| nats-io | nats-server | < 2.11.15 | 2.11.15 |
| nats-io | nats-server | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vendor_debian5.9MEDIUM
vendor_msrc5.9MEDIUM
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-33219: NATS-Server is a High-Performance server for NATS
osv·2026-03-25·CVSS 7.5
CVE-2026-33219 [HIGH] CVE-2026-33219: NATS-Server is a High-Performance server for NATS
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment.
GHSA
NATS is vulnerable to pre-auth DoS through WebSockets client service
ghsa·2026-03-24·CVSS 7.5
CVE-2026-33219 [HIGH] CWE-770 NATS is vulnerable to pre-auth DoS through WebSockets client service
NATS is vulnerable to pre-auth DoS through WebSockets client service
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server offers a WebSockets client service, used in deployments where browsers are the NATS clients.
### Problem Description
A malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data.
This is a milder variant of [NATS-advisory-ID 2026-02](https://advisories.nats.io/CVE/secnote-2026-02.txt) (aka CVE-2026-27571; GHSA-qrvq-68c2-7grw).
That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new
OSV
NATS is vulnerable to pre-auth DoS through WebSockets client service
osv·2026-03-24·CVSS 7.5
CVE-2026-33219 [HIGH] NATS is vulnerable to pre-auth DoS through WebSockets client service
NATS is vulnerable to pre-auth DoS through WebSockets client service
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server offers a WebSockets client service, used in deployments where browsers are the NATS clients.
### Problem Description
A malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data.
This is a milder variant of [NATS-advisory-ID 2026-02](https://advisories.nats.io/CVE/secnote-2026-02.txt) (aka CVE-2026-27571; GHSA-qrvq-68c2-7grw).
That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new
OSV
nats-server websockets are vulnerable to pre-auth memory DoS in github.com/nats-io/nats-server
osv·2026-02-25
CVE-2026-27571 nats-server websockets are vulnerable to pre-auth memory DoS in github.com/nats-io/nats-server
nats-server websockets are vulnerable to pre-auth memory DoS in github.com/nats-io/nats-server
nats-server websockets are vulnerable to pre-auth memory DoS in github.com/nats-io/nats-server
OSV
CVE-2026-27571: NATS-Server is a High-Performance server for NATS
osv·2026-02-24·CVSS 7.5
CVE-2026-27571 [HIGH] CVE-2026-27571: NATS-Server is a High-Performance server for NATS
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation bound the memory size of a NATS message but did not independently bound the memory consumption of the memory stream when constructing a NATS message which might then fail validation for size reasons. An attacker can use a compression bomb to cause excessive memory consumption, often resulting in the operating system terminating the server process. The use of compression is negotiated before authentication, so this does not require valid NATS credentials to exploit. The fix, present in versions 2.11.2 and 2.12.3, was to bounds the
GHSA
nats-server websockets are vulnerable to pre-auth memory DoS
ghsa·2026-02-24
CVE-2026-27571 [MEDIUM] CWE-409 nats-server websockets are vulnerable to pre-auth memory DoS
nats-server websockets are vulnerable to pre-auth memory DoS
### Impact
The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. The implementation bound the memory size of a NATS message but did not independently bound the memory consumption of the memory stream when constructing a NATS message which might then fail validation for size reasons.
An attacker can use a compression bomb to cause excessive memory consumption, often resulting in the operating system terminating the server process.
The use of compression is negotiated before authentication, so this does not require valid NATS credentials to exploit.
The fix was to bounds the decompression to fail once the message was too large, instead of continuing on.
### Patches
Th
OSV
nats-server websockets are vulnerable to pre-auth memory DoS
osv·2026-02-24
CVE-2026-27571 [MEDIUM] nats-server websockets are vulnerable to pre-auth memory DoS
nats-server websockets are vulnerable to pre-auth memory DoS
### Impact
The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. The implementation bound the memory size of a NATS message but did not independently bound the memory consumption of the memory stream when constructing a NATS message which might then fail validation for size reasons.
An attacker can use a compression bomb to cause excessive memory consumption, often resulting in the operating system terminating the server process.
The use of compression is negotiated before authentication, so this does not require valid NATS credentials to exploit.
The fix was to bounds the decompression to fail once the message was too large, instead of continuing on.
### Patches
Th
Red Hat
github.com/nats-io/nats-server: NATS-Server: Denial of Service via unbounded memory use in WebSockets
vendor_redhat·2026-03-25·CVSS 5.9
CVE-2026-33219 [MEDIUM] CWE-770 github.com/nats-io/nats-server: NATS-Server: Denial of Service via unbounded memory use in WebSockets
github.com/nats-io/nats-server: NATS-Server: Denial of Service via unbounded memory use in WebSockets
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment.
A flaw was found in NATS-Server. A malicious client connecting to th
Red Hat
nats-server: WebSockets pre-auth memory DoS
vendor_redhat·2026-02-24·CVSS 5.9
CVE-2026-27571 [MEDIUM] CWE-770 nats-server: WebSockets pre-auth memory DoS
nats-server: WebSockets pre-auth memory DoS
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation bound the memory size of a NATS message but did not independently bound the memory consumption of the memory stream when constructing a NATS message which might then fail validation for size reasons. An attacker can use a compression bomb to cause excessive memory consumption, often resulting in the operating system terminating the server process. The use of compression is negotiated before authentication, so this does not require valid NATS credentials to exploit. The fix, present in v
Microsoft
nats-server websockets are vulnerable to pre-auth memory DoS
vendor_msrc·2026-02-10·CVSS 5.9
CVE-2026-27571 [MEDIUM] CWE-409 nats-server websockets are vulnerable to pre-auth memory DoS
nats-server websockets are vulnerable to pre-auth memory DoS
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade
Debian
CVE-2026-27571: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...
vendor_debian·2026·CVSS 5.9
CVE-2026-27571 [MEDIUM] CVE-2026-27571: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation bound the memory size of a NATS message but did not independently bound the memory consumption of the memory stream when constructing a NATS message which might then fail validation for size reasons. An attacker can use a compression bomb to cause excessive memory consumption, often resulting in the operating system terminating the server process. The use of compression is negotiated before authentication, so this does not require valid NATS credentials to exploit. The fix, present in versions 2.11.2 and 2.12.3, was to bounds the
Debian
CVE-2026-33219: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...
vendor_debian·2026·CVSS 5.9
CVE-2026-33219 [MEDIUM] CVE-2026-33219: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment.
Scope: local
bookworm: open
forky: resolved (fixed in 2.12.6-1)
sid: resolved (fixed in 2.12.6-1)
trixie: open
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-33219 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-33219 [MEDIUM] CVE-2026-33219 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33219 :
NixOS vulnerability analysis and mitigation
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment.
Source : NVD
## 5.3
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technol
Wiz
CVE-2026-27571 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-27571 [MEDIUM] CVE-2026-27571 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27571 :
NixOS vulnerability analysis and mitigation
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation bound the memory size of a NATS message but did not independently bound the memory consumption of the memory stream when constructing a NATS message which might then fail validation for size reasons. An attacker can use a compression bomb to cause excessive memory consumption, often resulting in the operating system terminating the server process. The use of compression is negotiated before authentication, so this does not require valid NATS credentials to exploit.
2026-02-24
Published