Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Single unauthenticated pre-CONNECT packet to a network leafnode port crashes the process, so AV:N/AC:L/PR:N/UI:N with availability-only impact (A:H, C/I:N).
Primary rating from Vendor (vendor:ubuntu).
CVSS VectorVendor: vendor:ubuntu
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
7DescriptionCVE.org
[Unknown description]
AnalysisAI
Remote denial of service in the NATS Server (nats-io/nats-server) leafnode subsystem allows unauthenticated attackers to crash the entire server by sending a second INFO protocol message before CONNECT on the leafnode port, triggering a nil-pointer dereference (c.acc == nil) that panics the process. All server instances exposing a leafnode listener prior to v2.11.17 (2.11.x) and v2.12.8 (2.12.x) are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target NATS Server has a leafnode listener enabled and reachable by the attacker (the LeafNode port must be configured and network-accessible); the vendor test also exercises it with leafnode compression negotiation (CompressionS2Auto) so an initial INFO is exchanged. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine, easily-triggered availability risk for any deployment exposing a leafnode listener, but its blast radius is bounded to denial of service - the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H correctly shows network reachability, low complexity, no privileges, no user interaction, and no confidentiality or integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach a NATS server's leafnode TCP port opens a connection, reads the server's initial INFO, replies with 'INFO {}' to pass compression negotiation, then immediately sends a second frame such as 'INFO {"remote_account":"attacker"}' before ever sending CONNECT. The server dereferences the still-nil account pointer and panics, crashing the process and dropping all messaging traffic; because the payload is trivial and requires no credentials, it can be scripted and repeated to keep the service down after every restart. |
| Remediation | Upgrade NATS Server to a patched release: v2.11.17 if you run the 2.11.x line or v2.12.8 if you run 2.12.x, per releases https://github.com/nats-io/nats-server/releases/tag/v2.11.17 and https://github.com/nats-io/nats-server/releases/tag/v2.12.8 and advisory https://github.com/nats-io/nats-server/security/advisories/GHSA-3g5q-cfh2-cq67 (fix commits 8dcb26eaea78fdcbe96dbee5986d6019fd5cb94a and fc5fe39177533e9dbdd651d2458285bfae1dde27). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all NATS Server instances to identify which expose leafnode listeners and restrict network access to these ports to trusted internal networks only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Nats Server
View allNATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings ar
The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired credentials are han
This affects all versions of package github.com/nats-io/nats-server/server. Rated high severity (CVSS 7.5), this vulnera
NATS nats-server before 2.7.2 has Incorrect Access Control. Rated high severity (CVSS 8.8), this vulnerability is remote
Authentication bypass in NATS Server (nats-io/nats-server) lets an unauthenticated attacker on an adjacent network conne
Denial of service in NATS Server (nats-server) MQTT handler allows a remote, unauthenticated client to exhaust server me
An integer overflow in NATS Server before 2.0.2 allows a remote attacker to crash the server by sending a crafted reques
Remote denial-of-service in NATS Server (nats-server) affects deployments with the WebSocket listener enabled but MQTT d
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise,
The JWT library in NATS nats-server before 2.1.9 allows a denial of service (a nil dereference in Go code). Rated high s
Protocol injection in NATS Server MQTT support allows an authenticated MQTT client to smuggle control characters (tab, n
NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStre
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42380