Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websockets port. Versions 2.11.14 and 2.12.5 contains a fix. A workaround is available. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points. If one is able to do so, a defense in depth of restricting either of these will mitigate the attack.
Published: 2026-03-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (Server Crash)
Action: Patch Immediately
AI Analysis

Impact

A missing sanity check on WebSocket frames allows an unauthenticated attacker to send a crafted frame that overflows a buffer and triggers a server panic in the NATS Server. When the panic occurs, the entire server process terminates, causing a denial of service to all clients connected to the affected instance. This vulnerability is rooted in integer overflow and unchecked buffer length handling, as highlighted by CWE-1286 and CWE-190.

Affected Systems

The flaw exists in NATS-IO NATS Server versions starting at 2.2.0 and continuing through 2.11.13 and 2.12.4. Versions 2.11.14 and 2.12.5 and later contain the fix. The issue is relevant only when WebSockets are enabled and the service is accessible to untrusted network endpoints.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is classified as high severity. The EPSS score is below 1%, indicating a low probability of widespread exploitation, and it is not listed in the CISA KEV catalog. However, the attack vector is straightforward: any host that can reach the WebSocket port can send a malicious frame before authentication, making remote exploitation possible over the network.

Generated by OpenCVE AI on March 26, 2026 at 18:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NATS Server to version 2.11.14, 2.12.5, or later.
  • Apply the official workaround by restricting the WebSocket port to trusted networks or disabling WebSockets entirely if not needed.
  • Verify that the WebSocket port is not exposed to the public internet.
  • Monitor server logs for unexpected crashes and restart policies for quick recovery.

Generated by OpenCVE AI on March 26, 2026 at 18:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pq2q-rcw4-3hr6 NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead
History

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation nats-server
CPEs cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation nats-server

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nats
Nats nats Server
Vendors & Products Nats
Nats nats Server

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1286
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websockets port. Versions 2.11.14 and 2.12.5 contains a fix. A workaround is available. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points. If one is able to do so, a defense in depth of restricting either of these will mitigate the attack.
Title NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead
Weaknesses CWE-190
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Linuxfoundation Nats-server
Nats Nats Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T20:06:31.897Z

Reserved: 2026-02-24T15:19:29.716Z

Link: CVE-2026-27889

cve-icon Vulnrichment

Updated: 2026-03-25T20:06:28.024Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T20:16:27.210

Modified: 2026-03-26T17:13:16.140

Link: CVE-2026-27889

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-25T19:36:36Z

Links: CVE-2026-27889 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:16Z

Weaknesses