Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port.
Published: 2026-03-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Server Panic
Action: Patch Now
AI Analysis

Impact

An unauthenticated attacker who can connect to a NATS Server that has leafnode configuration enabled can send specialized compressed data that triggers a server panic, immediately crashing the process and disrupting messaging operations. The result is a denial of service with no direct data exposure or code execution; the weakness aligns with the identified CWEs, reflecting erroneous resource handling and null pointer usage.

Affected Systems

The flaw affects the NATS.io NATS Server messaging platform in versions earlier than 2.11.14 and 2.12.5. It is present in any deployment where the leafnode feature is active and the default compression setting is enabled, regardless of the operating system used.

Risk and Exploitability

The CVSS score of 7.5 denotes high severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack requires only network connectivity to the leafnode port and occurs before authentication; thus the attack vector is remote, making broad network exposure a critical concern.

Generated by OpenCVE AI on March 26, 2026 at 18:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest NATS Server release (at least 2.11.14 or 2.12.5) to address the panic condition.
  • If a patch cannot be applied immediately, disable compression on the leafnode port in the configuration as a temporary countermeasure.
  • Consider disabling leafnode functionality entirely if it is not required for your deployment.
  • Monitor server logs for panic events and confirm that the mitigation is effective.

Generated by OpenCVE AI on March 26, 2026 at 18:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-52jh-2xxh-pwh6 NATS Server panic via malicious compression on leafnode port
History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation nats-server
CPEs cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation nats-server

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nats
Nats nats Server
Vendors & Products Nats
Nats nats Server

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-409
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 25 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port.
Title NATS Server panic via malicious compression on leafnode port
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Linuxfoundation Nats-server
Nats Nats Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-28T01:34:06.528Z

Reserved: 2026-03-04T16:26:02.899Z

Link: CVE-2026-29785

cve-icon Vulnrichment

Updated: 2026-03-28T01:34:01.250Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T20:16:30.373

Modified: 2026-03-26T17:13:31.983

Link: CVE-2026-29785

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-25T19:38:44Z

Links: CVE-2026-29785 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:15Z

Weaknesses