CVE-2026-27889

Name of the Vulnerable Software and Affected Versions NATS-Server versions 2.2.0 through 2.11.14 NATS-Server versions 2.12.0 through 2.12.5

Description NATS-Server, a high-performance messaging system, has a flaw where a missing sanity check on WebSocket frames can cause the server to panic. This issue occurs before authentication, meaning anyone with network access to the WebSocket port can trigger it. The problem arises from a failure to validate the most significant bit of a 64-bit extended payload length, leading to an integer conversion that bypasses bounds checking and ultimately causes a server crash. The vulnerability affects deployments using WebSockets and exposing the network port to untrusted endpoints. A malicious client can send a crafted WebSocket frame to trigger this issue. The attack chain involves sending a frame with a specific structure: a FIN and Binary frame, a MASK with a 127 length code, an 8-byte length field with the most significant bit set, a mask key, and a single payload byte. This results in a slice bounds out of range error and a panic, terminating the entire server process.

Recommendations Upgrade the NATS server to a fixed version. As a temporary workaround, consider restricting access to the WebSocket port to trusted endpoints. As a temporary workaround, consider disabling WebSockets if they are not required.