PT-2026-27616 · Nats.Io · Nats Server

Published

2026-02-24

Updated

2026-05-21

CVE-2026-33219

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions NATS-Server versions prior to 2.11.15 NATS-Server versions prior to 2.12.6

Description NATS-Server, a high-performance server for NATS.io, is affected by an issue where a malicious client connecting to the WebSockets port can cause unbounded memory use before authentication. This requires the client to send a corresponding amount of data. This is a milder variant of a previously reported issue that involved a compression bomb. Exploitation of this issue requires significant client bandwidth.

Recommendations Versions prior to 2.11.15 should be updated to version 2.11.15 or later. Versions prior to 2.12.6 should be updated to version 2.12.6 or later. If WebSockets are not required for project deployment, disable them as a workaround.

Exploit

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770CWE-409

Related Identifiers

BIT-NATS-2026-33219

CVE-2026-33219

GHSA-8R68-GVR4-JH7J

GHSA-QRVQ-68C2-7GRW

GO-2026-4831

SUSE-SU-2026:1135-1

Affected Products

Nats Server

PT-2026-27616 · Nats.Io · Nats Server

CVE-2026-33219

Weakness Enumeration

Related Identifiers

Affected Products

References · 165