Impact
A client capable of sending account‑scoped connection monitoring requests can exploit an integer overflow in the NATS Server’s Connz pagination logic. By supplying Offset and Limit values that exceed internal arithmetic limits before bounds are safely enforced, the server process crashes. The vulnerability is a classic Out‑Of‑Bounds or Arithmetic Overflow flaw (CWE‑190) that results in a denial of service condition rather than code execution.
Affected Systems
The issue affects nats-io’s NATS Server product for all releases preceding 2.12.12 and 2.14.3. Administrators should verify their installed version and plan to upgrade if running a vulnerable build.
Risk and Exploitability
With a CVSS score of 7.7 the vulnerability represents a high‑severity denial of service risk. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is over the network, where an attacker can craft a malformed Connz request and trigger a server crash. No conditions for privilege escalation or remote code execution are noted, but the crash can interrupt service availability for all connected clients.
OpenCVE Enrichment