logo

Database

Asymmetric denial of service In github.com/nats-io/nats-server/v2

Description

NATS is vulnerable to pre-auth DoS through WebSockets client service

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server offers a WebSockets client service, used in deployments where browsers are the NATS clients.

Problem Description

A malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data.

This is a milder variant of NATS-advisory-ID 2026-02 (aka CVE-2026-27571; GHSA-qrvq-68c2-7grw). That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

Disable websockets if not required for project deployment.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-332192. NVD-2026-332193. OSV-2026-332194. GHSA-8r68-gvr4-jh7j5. GHSA-qrvq-68c2-7grw6. GCVE-2026-33219

References

1. https://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j2. https://advisories.nats.io/CVE/secnote-2026-02.txt3. https://advisories.nats.io/CVE/secnote-2026-11.txt

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.