Denial of Service due to incorrect MQTT-over-WebSocket request routing
Summary
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a WebSocket listener could route requests for the MQTT-over-WebSocket path into MQTT handling even when MQTT was not configured, allowing an unauthenticated client with access to the WebSocket listener to reach uninitialized MQTT state and crash the server process. This issue is fixed in versions 2.14.3 and 2.12.12. A flaw was found in NATS Server. This can result in a Denial of Service (DoS) for the NATS Server. This Moderate flaw in NATS Server allows an unauthenticated remote attacker to cause a denial of service. This impacts the availability of NATS Server deployments that expose a WebSocket listener, as it does not require specific MQTT configuration to exploit. Red Hat severity: Moderate — CVSS 6.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H). Weakness: CWE-824. Red Hat lists Red Hat Hardened Images as not affected.
- < 2.14.3
- < 2.12.12
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
- 2.14.3
- 2.12.12
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- To mitigate this issue, restrict network access to the NATS Server's WebSocket listener to trusted clients only using firewall rules. If the WebSocket listener is not required, it can be disabled in the NATS Server configuration. Disabling the WebSocket listener may impact services that rely on WebSocket connectivity to the NATS Server. After making configuration changes, ensure to restart the NATS Server process for the changes to take effect.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.