Impact
NATS Server incorrectly routes requests for the MQTT-over-WebSocket path into MQTT handling even when MQTT is not enabled. An unauthenticated client that can connect to the WebSocket listener can trigger uninitialized MQTT state, causing the server process to crash. This flaw is a classic case of using an uninitialized local variable (CWE‑248) and leads to a disruption of service for all clients.
Affected Systems
The vulnerable product is nats-io’s NATS Server. Versions prior to 2.14.3 and 2.12.12 are affected; installations of 2.14.3, 2.12.12, or later have the fix applied.
Risk and Exploitability
The CVSS score of 6.8 indicates a moderate severity vulnerability that can be exploited remotely. The EPSS score is not available, and the flaw is not listed in CISA’s KEV catalog, suggesting that current exploitation activity is unknown. The attack requires connectivity to the WebSocket listener and does not require authentication, making it accessible to anyone with network access to the server. A successful exploit would cause a server crash, resulting in a denial of service to all consumers of the messaging system.
OpenCVE Enrichment