Login Sign Up

CVE-2026-27571

5.9 MEDIUM
Denial of Service

📋 TL;DR

This vulnerability in NATS-Server allows attackers to cause denial of service via compression bombs in WebSocket messages. It affects deployments using WebSockets exposed to untrusted endpoints, and exploitation doesn't require authentication since compression is negotiated before credentials are checked.

💻 Affected Systems

Products:
  • NATS-Server
Versions: All versions before 2.11.2 and 2.12.3
Operating Systems: All platforms running NATS-Server
Default Config Vulnerable: ✅ No
Notes: Only affects deployments using WebSockets with compression enabled and exposed to untrusted endpoints

📦 What is this software?

Nats Server by Linuxfoundation

View all CVEs affecting Nats Server →

Nats Server by Linuxfoundation

View all CVEs affecting Nats Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server process termination due to excessive memory consumption, causing service disruption for all connected clients.

🟠

Likely Case

Server crashes or becomes unresponsive under targeted attack, requiring manual restart and causing temporary service outage.

🟢

If Mitigated

Minimal impact if proper network segmentation and access controls prevent untrusted access to WebSocket endpoints.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Attack requires sending specially crafted compressed WebSocket messages to vulnerable endpoints

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.11.2 or 2.12.3

Vendor Advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-qrvq-68c2-7grw

Restart Required: Yes

Instructions:

1. Stop NATS-Server service. 2. Update to version 2.11.2 or 2.12.3 using package manager or manual download. 3. Restart NATS-Server service.

🔧 Temporary Workarounds

Disable WebSocket compression

all

Configure NATS-Server to disable WebSocket compression to prevent exploitation

Add 'websocket: { compression: false }' to NATS configuration

Restrict WebSocket access

linux

Use firewall rules to limit WebSocket endpoint access to trusted sources only

iptables -A INPUT -p tcp --dport <websocket_port> -s <trusted_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport <websocket_port> -j DROP

🧯 If You Can't Patch

  • Implement network segmentation to isolate WebSocket endpoints from untrusted networks
  • Deploy rate limiting or Web Application Firewall (WAF) to detect and block compression bomb patterns

🔍 How to Verify

Check if Vulnerable:

Check NATS-Server version and WebSocket configuration. If version <2.11.2 or <2.12.3 and WebSockets are enabled with compression, system is vulnerable.

Check Version:

nats-server --version

Verify Fix Applied:

Verify version is 2.11.2+ or 2.12.3+ and test WebSocket compression handling with large messages

📡 Detection & Monitoring

Log Indicators:

  • Server process termination logs
  • Out of memory errors
  • Unusual WebSocket connection patterns

Network Indicators:

  • High volume of compressed WebSocket messages from single source
  • Rapid memory consumption spikes

SIEM Query:

source="nats-server" AND ("out of memory" OR "panic" OR "fatal")

📊 Metadata

CVE ID: CVE-2026-27571
CVSS v3 Score: 5.9 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-409
Published: February 24, 2026
Last Updated: February 26, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27571, you might also want to check these:

CVE-2025-62708 7.5

CVE-2025-62708 is a memory exhaustion vulnerability in pypdf, a popular Python PDF library. Attacker...

Same vulnerability type (CWE-409)
CVE-2024-28101 7.5

The Apollo Router versions 0.9.5 through 1.40.1 have a DoS vulnerability where highly compressed HTT...

Same vulnerability type (CWE-409)
CVE-2025-66909 7.5

This vulnerability allows unauthenticated attackers to cause denial of service by uploading speciall...

Same vulnerability type (CWE-409)