Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation bound the memory size of a NATS message but did not independently bound the memory consumption of the memory stream when constructing a NATS message which might then fail validation for size reasons. An attacker can use a compression bomb to cause excessive memory consumption, often resulting in the operating system terminating the server process. The use of compression is negotiated before authentication, so this does not require valid NATS credentials to exploit. The fix, present in versions 2.11.2 and 2.12.3, was to bounds the decompression to fail once the message was too large, instead of continuing on. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points.
Published: 2026-02-24
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service due to excessive memory consumption caused by compression bombs
Action: Patch
AI Analysis

Impact

NATS‑Server’s WebSockets implementation allowed unbounded memory consumption when processing compressed NATS messages. An attacker can send a compressed message that explodes in size during decompression, exhausting memory and typically crashing the server. The flaw is a lack of independent memory‑stream bounds, resulting in a denial‑of‑service effect without requiring authentication.

Affected Systems

The vulnerability affects NATS‑IO NATS‑Server deployments that expose the WebSockets port to external networks. Versions earlier than 2.11.2 and 2.12.3 are vulnerable; later releases include the fix.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity. The EPSS score of less than 1% suggests a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw over the network by sending a specially crafted compressed message before authentication. The denial‑of‑service outcome typically results in the operating system terminating the server process.

Generated by OpenCVE AI on April 18, 2026 at 10:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to NATS‑Server 2.11.2, 2.12.3, or any later release that includes the memory‑limit fix.
  • Restrict access to the WebSockets port, permitting only trusted networks or internal hosts to connect.
  • If WebSockets are not required, consider disabling the feature altogether to eliminate the attack surface.
  • Monitor server memory usage and set alerts for sudden spikes that may indicate a compression bomb attack.

Generated by OpenCVE AI on April 18, 2026 at 10:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qrvq-68c2-7grw nats-server websockets are vulnerable to pre-auth memory DoS
History

Thu, 26 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation nats-server
CPEs cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation nats-server

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nats
Nats nats Server
Vendors & Products Nats
Nats nats Server

Wed, 25 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 24 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation bound the memory size of a NATS message but did not independently bound the memory consumption of the memory stream when constructing a NATS message which might then fail validation for size reasons. An attacker can use a compression bomb to cause excessive memory consumption, often resulting in the operating system terminating the server process. The use of compression is negotiated before authentication, so this does not require valid NATS credentials to exploit. The fix, present in versions 2.11.2 and 2.12.3, was to bounds the decompression to fail once the message was too large, instead of continuing on. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points.
Title nats-server websockets are vulnerable to pre-auth memory DoS
Weaknesses CWE-409
CWE-770
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Linuxfoundation Nats-server
Nats Nats Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T21:33:40.372Z

Reserved: 2026-02-20T17:40:28.448Z

Link: CVE-2026-27571

cve-icon Vulnrichment

Updated: 2026-02-26T21:06:39.596Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T17:29:03.393

Modified: 2026-02-26T19:06:26.413

Link: CVE-2026-27571

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-24T15:59:17Z

Links: CVE-2026-27571 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:00:05Z

Weaknesses