Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Network-reachable low-complexity overflow crashing the broker gives A:H with no C/I; PR:L reflects access to the monitoring interface, and the panic stays within one security authority so S:U.
Primary rating from Vendor (vendor:ubuntu).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
9DescriptionNVD
[Unknown description]
AnalysisAI
Denial of service in NATS Server (nats-io/nats-server) affects the HTTP monitoring endpoints /connz and /subsz, where attacker-controlled offset and limit pagination parameters trigger a signed integer overflow (Offset+Limit wrapping from math.MaxInt64 to math.MinInt64), producing invalid slice bounds and a server panic. Any client able to reach the monitoring interface can crash the broker, disrupting all connected messaging clients. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the NATS Server HTTP monitoring interface be enabled and reachable by the attacker, and that a request reach the /connz or /subsz endpoint with a crafted offset value near math.MaxInt64 (e.g., offset=9223372036854775807 with limit=1) so the sum overflows. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The assigned CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H (7.7) describes a network-reachable, low-complexity, availability-only impact requiring low privileges - consistent with a DoS that crashes the broker with no confidentiality or integrity loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with access to the NATS monitoring HTTP port sends a request such as GET /connz?offset=9223372036854775807&limit=1 (or the equivalent /subsz?subs=1&offset=...&limit=1), causing the offset+limit addition to overflow and the server to panic. Because impact is availability-only, the result is a crash of the broker and disruption of all messaging clients; no public exploit code was provided, but the added regression tests demonstrate the exact overflowing inputs. |
| Remediation | Upgrade to a fixed release: Vendor-released patch v2.12.12 (2.12.x line) or v2.14.3 (2.14.x line), available at https://github.com/nats-io/nats-server/releases/tag/v2.12.12 and https://github.com/nats-io/nats-server/releases/tag/v2.14.3; review GHSA-q59r-vq66-pxc2 for the full advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all NATS Server deployments and document their versions using 'nats-server -v'; assess which networks and clients can reach the /connz and /subsz HTTP monitoring endpoints. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Nats Server
View allNATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings ar
The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired credentials are han
This affects all versions of package github.com/nats-io/nats-server/server. Rated high severity (CVSS 7.5), this vulnera
NATS nats-server before 2.7.2 has Incorrect Access Control. Rated high severity (CVSS 8.8), this vulnerability is remote
Authentication bypass in NATS Server (nats-io/nats-server) lets an unauthenticated attacker on an adjacent network conne
Remote denial of service in the NATS Server (nats-io/nats-server) leafnode subsystem allows unauthenticated attackers to
Denial of service in NATS Server (nats-server) MQTT handler allows a remote, unauthenticated client to exhaust server me
An integer overflow in NATS Server before 2.0.2 allows a remote attacker to crash the server by sending a crafted reques
Remote denial-of-service in NATS Server (nats-server) affects deployments with the WebSocket listener enabled but MQTT d
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise,
The JWT library in NATS nats-server before 2.1.9 allows a denial of service (a nil dereference in Go code). Rated high s
Protocol injection in NATS Server MQTT support allows an authenticated MQTT client to smuggle control characters (tab, n
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42389