Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
Related vulnerabilities
GHSA-8R68-GVR4-JH7J
Vulnerability from github – Published: 2026-03-24 21:46 – Updated: 2026-03-24 21:46Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server offers a WebSockets client service, used in deployments where browsers are the NATS clients.
Problem Description
A malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data.
This is a milder variant of NATS-advisory-ID 2026-02 (aka CVE-2026-27571; GHSA-qrvq-68c2-7grw). That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
Disable websockets if not required for project deployment.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/nats-io/nats-server/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/nats-io/nats-server/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.12.0-RC.1"
},
{
"fixed": "2.12.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33219"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-24T21:46:31Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Background\n\nNATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.\n\nThe nats-server offers a WebSockets client service, used in deployments where browsers are the NATS clients.\n\n### Problem Description\n\nA malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data.\n\nThis is a milder variant of [NATS-advisory-ID 2026-02](https://advisories.nats.io/CVE/secnote-2026-02.txt) (aka CVE-2026-27571; GHSA-qrvq-68c2-7grw).\nThat earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth.\n\n### Affected Versions\n\nAny version before v2.12.6 or v2.11.15\n\n### Workarounds\n\nDisable websockets if not required for project deployment.",
"id": "GHSA-8r68-gvr4-jh7j",
"modified": "2026-03-24T21:46:31Z",
"published": "2026-03-24T21:46:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j"
},
{
"type": "WEB",
"url": "https://advisories.nats.io/CVE/secnote-2026-02.txt"
},
{
"type": "WEB",
"url": "https://advisories.nats.io/CVE/secnote-2026-11.txt"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-qrvq-68c2-7grw"
},
{
"type": "PACKAGE",
"url": "https://github.com/nats-io/nats-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "NATS is vulnerable to pre-auth DoS through WebSockets client service"
}