Source: nats-server Version: 2.10.27-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for nats-server. CVE-2026-27571[0]: | NATS-Server is a High-Performance server for NATS.io, a cloud and | edge native messaging system. The WebSockets handling of NATS | messages handles compressed messages via the WebSockets negotiated | compression. Prior to versions 2.11.2 and 2.12.3, the implementation | bound the memory size of a NATS message but did not independently | bound the memory consumption of the memory stream when constructing | a NATS message which might then fail validation for size reasons. An | attacker can use a compression bomb to cause excessive memory | consumption, often resulting in the operating system terminating the | server process. The use of compression is negotiated before | authentication, so this does not require valid NATS credentials to | exploit. The fix, present in versions 2.11.2 and 2.12.3, was to | bounds the decompression to fail once the message was too large, | instead of continuing on. The vulnerability only affects deployments | which use WebSockets and which expose the network port to untrusted | end-points. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-27571 https://www.cve.org/CVERecord?id=CVE-2026-27571 [1] https://github.com/nats-io/nats-server/security/advisories/GHSA-qrvq-68c2-7grw [2] https://github.com/nats-io/nats-server/commit/f77fb7c4535e6727cc1a2899cd8e6bbdd8ba2017 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
