Denial of Service via repeated leafnode INFO messages during pre-authentication
Summary
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.12.8 and 2.11.17, an unauthenticated peer with network access to a leafnode listener with compression enabled could crash the server during the pre-authentication leafnode handshake by sending repeated leafnode INFO protocol messages before authentication and account setup completed. This issue is fixed in versions 2.12.8 and 2.11.17. A flaw was found in NATS Server, a high-performance messaging system. An unauthenticated attacker with network access to a leafnode listener, where compression is enabled, could exploit this vulnerability. By sending repeated leafnode INFO protocol messages during the pre-authentication handshake, the attacker can cause the server to crash. This leads to a Denial of Service (DoS), making the server unavailable to legitimate users. This is an Important denial of service vulnerability in NATS Server. An unauthenticated remote attacker with network access to a leafnode listener, configured with compression enabled, could repeatedly send INFO protocol messages during the pre-authentication handshake. This action would cause the NATS server to crash, leading to a denial of service for legitimate users. Red Hat severity: Important — CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Weakness: CWE-476. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
Mitigation checklist
- To reduce exposure, disable compression on NATS Server leafnode listeners if not strictly required for your environment. Alternatively, implement network access controls to restrict connectivity to leafnode listeners to only trusted clients. This limits the ability of unauthenticated peers to initiate the vulnerable handshake.
Official advisory · high-confidence parse· fetched 1 hour ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.