Impact
NATS Server suffers a crash during the pre‑authentication leafnode handshake when an unauthenticated peer repeatedly sends leafnode INFO protocol messages before authentication and account setup. This leads to a server crash, resulting in service disruption for all connections.
Affected Systems
The vulnerability affects NATS Server from the nats-io vendor. All releases prior to version 2.12.8 and 2.11.17 are impacted. The issue is resolved in releases 2.12.8 and 2.11.17 and later.
Risk and Exploitability
The CVSS score of 7.5 indicates a high‑severity denial‑of‑service flaw. The exploit requires unauthenticated network access to a leafnode listener with compression enabled, which is typically available to external peers. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known widespread exploitation yet. Nonetheless, an attacker with network reach to the affected port could intentionally trigger the crash and disrupt availability.
OpenCVE Enrichment