PT-2026-27616 · Nats.Io · Nats Server

Publicado

2026-02-24

Atualizado

2026-05-21

CVE-2026-33219

CVSS v3.1

5.3

Média

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions NATS-Server versions prior to 2.11.15 NATS-Server versions prior to 2.12.6

Description NATS-Server, a high-performance server for NATS.io, is affected by an issue where a malicious client connecting to the WebSockets port can cause unbounded memory use before authentication. This requires the client to send a corresponding amount of data. This is a milder variant of a previously reported issue that involved a compression bomb. Exploitation of this issue requires significant client bandwidth.

Recommendations Versions prior to 2.11.15 should be updated to version 2.11.15 or later. Versions prior to 2.12.6 should be updated to version 2.12.6 or later. If WebSockets are not required for project deployment, disable them as a workaround.

Exploit

Correção

Allocation of Resources Without Limits

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-770CWE-409

Identificadores relacionados

BIT-NATS-2026-33219

CVE-2026-33219

GHSA-8R68-GVR4-JH7J

GHSA-QRVQ-68C2-7GRW

GO-2026-4831

SUSE-SU-2026:1135-1

Produtos afetados

Nats Server

PT-2026-27616 · Nats.Io · Nats Server

CVE-2026-33219

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 165