CVE-2026-27571

Name of the Vulnerable Software and Affected Versions NATS-Server versions prior to 2.11.2 NATS-Server versions prior to 2.12.3

Description NATS-Server, a high-performance messaging system, has an issue in its WebSocket implementation. The server handles compressed messages via WebSocket negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation only bounded the size of a NATS message but did not independently bound the memory consumption during message construction. This allows an attacker to use a compression bomb, causing excessive memory consumption and potentially terminating the server process. The issue does not require valid NATS credentials to exploit, as compression negotiation occurs before authentication.

Recommendations Update NATS-Server to version 2.11.2 or later. Update NATS-Server to version 2.12.3 or later.