CVE-2026-27571

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation bound the memory size of a NATS message but did not independently bound the memory consumption of the memory stream when constructing a NATS message which might then fail validation for size reasons. An attacker can use a compression bomb to cause excessive memory consumption, often resulting in the operating system terminating the server process. The use of compression is negotiated before authentication, so this does not require valid NATS credentials to exploit. The fix, present in versions 2.11.2 and 2.12.3, was to bounds the decompression to fail once the message was too large, instead of continuing on. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-409",
        "CWE-770"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27571.json"
}

References

Affected packages

Git / github.com/nats-io/nats-server

Affected ranges

Type

GIT

Repo

https://github.com/nats-io/nats-server

Events

Introduced

Fixed

2d97cb7d9d27f1f07b4851e85289ea16841d2e0b

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.11.12"
        }
    ]
}

Type

GIT

Repo

https://github.com/nats-io/nats-server

Events

Introduced

4dccf778573cd9a9e52fb8f119718459f6f2f761

Fixed

450a519adf9c53e3d86623bb423dcad5e658ae78

Database specific

{
    "versions": [
        {
            "introduced": "2.12.0-RC.1"
        },
        {
            "fixed": "2.12.3"
        }
    ]
}

Affected versions

v0.*

v0.5.1

v0.5.2

v0.5.4

v0.5.6

v0.6.0

v0.6.2

v0.6.4

v0.6.6

v0.6.8

v0.7.0

v0.7.2

v0.8.0

v0.8.1

v0.9.2

v0.9.4

v0.9.6

v1.*

v1.0.0

v1.0.2

v1.0.4

v1.0.6

v1.1.0

v1.2.0

v1.3.0

v2.*

v2.0.0

v2.0.0-RC14

v2.0.0-RC19

v2.0.2

v2.0.4

v2.1.0

v2.1.2

v2.1.4

v2.1.6

v2.1.7

v2.10.0

v2.10.1

v2.10.2

v2.10.3

v2.11.0

v2.11.0-RC.1

v2.11.0-RC.2

v2.11.0-RC.3

v2.11.0-RC.4

v2.11.0-RC.5

v2.11.0-dev

v2.11.10

v2.11.10-RC.1

v2.11.11

v2.11.11-RC.1

v2.11.11-RC.2

v2.11.11-RC.3

v2.11.11-RC.4

v2.11.12-RC.1

v2.11.12-RC.2

v2.11.12-RC.3

v2.11.12-RC.4

v2.11.12-RC.5

v2.11.12-RC.6

v2.11.12-RC.7

v2.11.2

v2.11.2-RC.1

v2.11.2-RC.2

v2.11.2-RC.3

v2.11.3

v2.11.3-RC.1

v2.11.3-RC.2

v2.11.4

v2.11.4-RC.1

v2.11.4-RC.2

v2.11.4-RC.3

v2.11.5

v2.11.5-RC.1

v2.11.5-RC.2

v2.11.5-RC.3

v2.11.5-RC.4

v2.11.6

v2.11.6-RC.1

v2.11.7

v2.11.7-RC.1

v2.11.7-RC.2

v2.11.7-RC.3

v2.11.8

v2.11.8-RC.1

v2.11.9

v2.11.9-RC.1

v2.11.9-RC.2

v2.11.9-RC.3

v2.12.0

v2.12.0-RC.1

v2.12.0-RC.2

v2.12.0-RC.3

v2.12.0-RC.4

v2.12.0-RC.5

v2.12.0-RC.6

v2.12.1

v2.12.1-RC.1

v2.12.1-RC.2

v2.12.1-RC.3

v2.12.1-RC.4

v2.12.1-RC.5

v2.12.2

v2.12.2-RC.1

v2.12.2-RC.2

v2.12.2-RC.3

v2.12.2-RC.4

v2.12.3-RC.1

v2.12.3-RC.2

v2.12.3-RC.3

v2.12.3-RC.4

v2.12.3-RC.5

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.2.6

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.4.0

v2.5.0

v2.6.0

v2.6.1

v2.6.2

v2.6.3

v2.6.4

v2.6.5

v2.6.6

v2.7.0

v2.7.0-rc1

v2.7.0-rc2

v2.7.1

v2.7.2

v2.7.3

v2.7.4

v2.8.0

v2.8.1

v2.8.2

v2.8.3

v2.8.4

v2.9.0

v2.9.1

v2.9.10

v2.9.11

v2.9.12

v2.9.14

v2.9.15

v2.9.16

v2.9.17

v2.9.18

v2.9.19

v2.9.2

v2.9.20

v2.9.21

v2.9.22

v2.9.3

v2.9.4

v2.9.5

v2.9.6

v2.9.7

v2.9.8

v2.9.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-27571.json"