CVE-2026-29785

NATS Server panic via malicious compression on leafnode port

Assigner: GitHub_M
Reserved: 04.03.2026 Published: 25.03.2026 Updated: 25.03.2026

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	nats-io
Product	nats-server
Versions	Version < 2.11.14 is affected Version >= 2.12.0-RC.1, < 2.12.5 is affected

Vendor

nats-io

Product

nats-server

Versions

Version < 2.11.14 is affected
Version >= 2.12.0-RC.1, < 2.12.5 is affected

References

Problem Types

CWE-476: NULL Pointer Dereference CWE

CVE-2026-29785 PUBLISHED

NATS Server panic via malicious compression on leafnode port

Metrics

Product Status

References

Problem Types