logo

Database

Lack of data validation In github.com/nats-io/nats-server/v2

Description

NATS has pre-auth server panic via leafnode handling

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers.

Problem Description

A client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

    Disable leafnode support if not needed.

    Restrict network connections to your leafnode port, if plausible without compromising the service offered.

References

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-332182. NVD-2026-332183. OSV-2026-332184. GHSA-vprv-35vv-q3395. GCVE-2026-33218

References

1. https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q3392. https://advisories.nats.io/CVE/secnote-2026-10.txt

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.