CVE-2026-29785
published 2026-03-25CVE-2026-29785: NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has…
PriorityP346high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.66%
46.9th percentile
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nats-server | < nats-server 2.12.6-1 (forky) | nats-server 2.12.6-1 (forky) |
| github.com | nats-io_nats-server_v2 | >= 0 < 2.11.14 | 2.11.14 |
| github.com | nats-io_nats-server_v2 | >= 2.12.0-RC.1 < 2.12.5 | 2.12.5 |
| linuxfoundation | nats-server | < 2.11.14 | 2.11.14 |
| linuxfoundation | nats-server | >= 0 < 2.12.6-1 | 2.12.6-1 |
| linuxfoundation | nats-server | >= 2.12.0 < 2.12.5 | 2.12.5 |
| nats-io | nats-server | < 2.11.14 | 2.11.14 |
| nats-io | nats-server | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
github.com/nats-io/nats-server: NATS-Server: Denial of Service via leafnode compression
vendor_redhat·2026-03-25·CVSS 7.5
CVE-2026-29785 [HIGH] CWE-409 github.com/nats-io/nats-server: NATS-Server: Denial of Service via leafnode compression
github.com/nats-io/nats-server: NATS-Server: Denial of Service via leafnode compression
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port.
A flaw was found in NATS-Server. A remote attacker can exploit this vulnerability by connecting to a NATS-Server instance where the 'leafnode' configuration is enabled and compression is active. Th
Debian
CVE-2026-29785: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...
vendor_debian·2026·CVSS 7.5
CVE-2026-29785 [HIGH] CVE-2026-29785: nats-server - NATS-Server is a High-Performance server for NATS.io, a cloud and edge native me...
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port.
Scope: local
bookworm: open
forky: resolved (fixed in 2.12.6-1)
sid: resolved (fixed in 2.12.6-1)
trixie: open
OSV
NATS Server panic via malicious compression on leafnode port in github.com/nats-io/nats-server
osv·2026-03-26
CVE-2026-29785 NATS Server panic via malicious compression on leafnode port in github.com/nats-io/nats-server
NATS Server panic via malicious compression on leafnode port in github.com/nats-io/nats-server
NATS Server panic via malicious compression on leafnode port in github.com/nats-io/nats-server
OSV
CVE-2026-29785: NATS-Server is a High-Performance server for NATS
osv·2026-03-25·CVSS 7.5
CVE-2026-29785 [HIGH] CVE-2026-29785: NATS-Server is a High-Performance server for NATS
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port.
OSV
NATS Server panic via malicious compression on leafnode port
osv·2026-03-24
CVE-2026-29785 [HIGH] NATS Server panic via malicious compression on leafnode port
NATS Server panic via malicious compression on leafnode port
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
When configured to accept leafnode connections (for a hub/spoke topology of multiple nats-servers), then the default configuration allows for negotiating compression; a malicious remote NATS server can trigger a server panic via that compression.
### Problem Description
If the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used).
Context: a NATS server c
GHSA
NATS Server panic via malicious compression on leafnode port
ghsa·2026-03-24
CVE-2026-29785 [HIGH] CWE-476 NATS Server panic via malicious compression on leafnode port
NATS Server panic via malicious compression on leafnode port
### Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
When configured to accept leafnode connections (for a hub/spoke topology of multiple nats-servers), then the default configuration allows for negotiating compression; a malicious remote NATS server can trigger a server panic via that compression.
### Problem Description
If the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used).
Context: a NATS server c
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-29785 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-29785 [HIGH] CVE-2026-29785 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29785 :
NixOS vulnerability analysis and mitigation
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port.
Source : NVD
## 7.5
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
NixOS
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Bugzilla
CVE-2025-29785 syncthing: quic-go Has Panic in Path Probe Loss Recovery Handling [fedora-42]
bugzilla·2025-06-02·CVSS 7.5
CVE-2025-29785 [HIGH] CVE-2025-29785 syncthing: quic-go Has Panic in Path Probe Loss Recovery Handling [fedora-42]
CVE-2025-29785 syncthing: quic-go Has Panic in Path Probe Loss Recovery Handling [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2369741
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '4
https://advisories.nats.io/CVE/secnote-2026-04.txthttps://github.com/nats-io/nats-server/commit/a1488de6f2ba6e666aef0f9cce0016f7f167d6a8https://github.com/nats-io/nats-server/security/advisories/GHSA-52jh-2xxh-pwh6https://access.redhat.com/errata/RHSA-2026:21769https://access.redhat.com/errata/RHSA-2026:22347https://access.redhat.com/errata/RHSA-2026:23345https://access.redhat.com/security/cve/CVE-2026-29785https://bugzilla.redhat.com/show_bug.cgi?id=2451444https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-29785.json
2026-03-25
Published