CVE-2026-27571
Received Received - Intake
Compression Bomb Memory Exhaustion in NATS-Server WebSockets Handling

Publication date: 2026-02-24

Last updated on: 2026-02-26

Assigner: GitHub, Inc.

Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation bound the memory size of a NATS message but did not independently bound the memory consumption of the memory stream when constructing a NATS message which might then fail validation for size reasons. An attacker can use a compression bomb to cause excessive memory consumption, often resulting in the operating system terminating the server process. The use of compression is negotiated before authentication, so this does not require valid NATS credentials to exploit. The fix, present in versions 2.11.2 and 2.12.3, was to bounds the decompression to fail once the message was too large, instead of continuing on. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27571
EUVD
EUVD-2026-8538
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linuxfoundation nats-server to 2.11.12 (exc)
linuxfoundation nats-server From 2.12.0 (inc) to 2.12.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability affects NATS Server deployments that use WebSockets and expose the network port to untrusted endpoints. Detection involves monitoring for abnormal memory consumption or server process terminations caused by excessive memory use during WebSocket message decompression.

Since the vulnerability is related to decompression of compressed WebSocket frames, you can detect potential exploitation attempts by monitoring WebSocket traffic for unusually large compressed messages or by checking server logs for errors related to decompression failures or unexpected disconnects.

Specific commands are not provided in the available resources, but general approaches include:

  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture WebSocket traffic and analyze for large or suspicious compressed frames.
  • Check NATS server logs for errors related to decompression limits or client disconnects caused by exceeding maximum payload sizes.
  • Monitor system memory usage and process restarts of the NATS server to identify potential denial-of-service conditions.
Mitigation Strategies

The primary mitigation is to upgrade the NATS server to a fixed version that includes the patch for CVE-2026-27571.

  • Upgrade to NATS server version 2.11.12 or later, or version 2.12.3 or later, where the decompression size limit is enforced to prevent excessive memory consumption.

Additionally, consider the following steps:

  • Restrict exposure of the WebSocket network port to trusted networks only, avoiding exposure to untrusted endpoints.
  • Implement network-level controls such as firewalls or intrusion detection systems to monitor and block suspicious WebSocket traffic.
  • Monitor server resource usage and logs to detect and respond to potential exploitation attempts.
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27571 is a vulnerability in the NATS server's WebSockets message handling where compressed messages are processed without properly limiting the memory used during decompression."}, {'type': 'paragraph', 'content': 'Although the server limits the size of the final NATS message, it does not independently limit the memory consumed by the decompression stream. This allows an attacker to send a compression bombβ€”maliciously crafted compressed data that expands to consume excessive memory.'}, {'type': 'paragraph', 'content': 'Because the compression negotiation happens before authentication, an attacker does not need valid credentials to exploit this vulnerability.'}, {'type': 'paragraph', 'content': 'The excessive memory consumption can cause the operating system to terminate the server process, resulting in a denial of service (DoS).'}, {'type': 'paragraph', 'content': 'The vulnerability affects only deployments using WebSockets that expose the network port to untrusted endpoints.'}, {'type': 'paragraph', 'content': 'The fix, implemented in versions 2.11.12 and 2.12.3, enforces a strict upper bound on decompression size, causing decompression to fail once the message exceeds the allowed size, preventing excessive memory consumption.'}] [2, 3]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to a denial of service (DoS) condition by causing the NATS server to consume excessive memory during decompression of maliciously crafted compressed WebSocket messages.'}, {'type': 'paragraph', 'content': 'The excessive memory usage can cause the operating system to terminate the server process, resulting in service disruption.'}, {'type': 'paragraph', 'content': "Since exploitation does not require authentication, attackers can trigger this vulnerability remotely if the server's WebSocket port is exposed to untrusted networks."}, {'type': 'paragraph', 'content': 'Therefore, the impact is primarily on availability, potentially causing downtime or instability in systems relying on the NATS server for messaging.'}] [2]

Compliance Impact

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27571. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart