Skip to main content

CVE-2026-33219

MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-03-24 https://github.com/nats-io/nats-server
5.3
CVSS 3.1 · Vendor: https://github.com/nats-io/nats-server
Share

Severity by source

Vendor (https://github.com/nats-io/nats-server) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
MEDIUM
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (https://github.com/nats-io/nats-server).

CVSS VectorVendor: https://github.com/nats-io/nats-server

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 24, 2026 - 22:01 vuln.today
CVE Published
Mar 24, 2026 - 21:46 nvd
MEDIUM 5.3

DescriptionCVE.org

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server offers a WebSockets client service, used in deployments where browsers are the NATS clients.

Problem Description

A malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data.

This is a milder variant of NATS-advisory-ID 2026-02 (aka CVE-2026-27571; GHSA-qrvq-68c2-7grw). That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

Disable websockets if not required for project deployment.

AnalysisAI

NATS.io nats-server WebSockets service is vulnerable to unbounded memory consumption when malicious unauthenticated clients connect and transmit large amounts of data. This denial-of-service vulnerability affects versions before v2.12.6 or v2.11.15 and has a moderate CVSS score of 5.3 (CWE-770: Allocation of Resources Without Limits or Throttling). Unlike the related CVE-2026-27571 compression bomb variant, this attack requires significant client-side bandwidth rather than algorithmic compression exploitation.

Technical ContextAI

NATS.io is a cloud-native pub-sub messaging platform (CPE: pkg:go/github.com_nats-io_nats-server_v2) that offers WebSockets connectivity for browser-based clients. The vulnerability exists in the WebSockets handling code path prior to authentication completion. The root cause is classified under CWE-770 (Allocation of Resources Without Limits or Throttling), indicating insufficient resource allocation limits or throttling mechanisms on inbound WebSocket data before the authentication phase completes. When a client connects to the WebSockets port and begins transmitting data, the server buffers this data without enforcing limits, leading to unbounded memory allocation. This is specifically noted as a milder variant of CVE-2026-27571 (GHSA-qrvq-68c2-7grw), which was a compression-bomb attack; the current issue requires direct bandwidth rather than exploiting compression ratios.

RemediationAI

Upgrade nats-server to version v2.12.6 or later (main branch) or v2.11.15 or later (LTS branch). Check the NATS GitHub security advisory at https://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j for detailed patch instructions. If immediate patching is not possible, disable WebSockets functionality in nats-server configuration (disable websocket listener in the config file) if not required for your deployment, or restrict WebSocket listener access to trusted networks only via network-level controls (firewall rules, VPC security groups). Monitor memory usage on running nats-server instances for unexplained growth patterns that could indicate attack attempts. Apply rate limiting and connection throttling at the reverse proxy or load balancer layer if WebSockets must remain enabled.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33219 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy