Denial of Service via arithmetic overflow in connection monitoring pagination
Summary
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a client able to send account-scoped connection monitoring requests could crash the server by supplying Connz pagination Offset and Limit values that overflowed internal arithmetic before the response window was safely bounded. This issue is fixed in versions 2.14.3 and 2.12.12. A flaw was found in NATS Server. This is achieved by providing pagination offset and limit values that cause an arithmetic overflow, leading to a Denial of Service (DoS). CVE.org and NVD independently assess this issue at different severities than Red Hat because CVE.org uses a Changed scope (S:C) in its CVSS vector, treating the crash as impacting components beyond the NATS Server process itself. Red Hat, consistent with NVDs own scoring, assesses the impact as scoped to the NATS Server process (Scope Unchanged), resulting in a CVSS score of 6.5 and a Moderate impact rating. Only account-scoped connection-monitoring requests can trigger the arithmetic overflow, and no Red Hat product runs an externally-reachable, unauthenticated NATS Server monitoring endpoint by default. Weakness: CWE-190. Affected Red Hat products: Multicluster Global Hub; Red Hat Ceph Storage 5; Red Hat Ceph Storage 6; Red Hat Ceph Storage 7; Red Hat Ceph Storage 8; Red Hat Ceph Storage 9.
- < 2.14.3
- < 2.12.12
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
- 2.14.3
- 2.12.12
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- Upstream mitigation: restrict publish access to system request subjects (e.g. \.REQ.ACCOUNT.*.CONNZ) for untrusted clients, and avoid no-auth NATS deployments where untrusted clients can publish to system monitoring request subjects. Upgrading to nats-server 2.14.3 or 2.12.12 (or later) fully resolves the issue.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.