CVE-2026-27571
Compression Bomb Memory Exhaustion in NATS-Server WebSockets Handling
Publication date: 2026-02-24
Last updated on: 2026-02-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | nats-server | to 2.11.12 (exc) |
| linuxfoundation | nats-server | From 2.12.0 (inc) to 2.12.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-409 | The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27571 is a vulnerability in the NATS server's WebSockets message handling where compressed messages are processed without properly limiting the memory used during decompression."}, {'type': 'paragraph', 'content': 'Although the server limits the size of the final NATS message, it does not independently limit the memory consumed by the decompression stream. This allows an attacker to send a compression bombβmaliciously crafted compressed data that expands to consume excessive memory.'}, {'type': 'paragraph', 'content': 'Because the compression negotiation happens before authentication, an attacker does not need valid credentials to exploit this vulnerability.'}, {'type': 'paragraph', 'content': 'The excessive memory consumption can cause the operating system to terminate the server process, resulting in a denial of service (DoS).'}, {'type': 'paragraph', 'content': 'The vulnerability affects only deployments using WebSockets that expose the network port to untrusted endpoints.'}, {'type': 'paragraph', 'content': 'The fix, implemented in versions 2.11.12 and 2.12.3, enforces a strict upper bound on decompression size, causing decompression to fail once the message exceeds the allowed size, preventing excessive memory consumption.'}] [2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can lead to a denial of service (DoS) condition by causing the NATS server to consume excessive memory during decompression of maliciously crafted compressed WebSocket messages.'}, {'type': 'paragraph', 'content': 'The excessive memory usage can cause the operating system to terminate the server process, resulting in service disruption.'}, {'type': 'paragraph', 'content': "Since exploitation does not require authentication, attackers can trigger this vulnerability remotely if the server's WebSocket port is exposed to untrusted networks."}, {'type': 'paragraph', 'content': 'Therefore, the impact is primarily on availability, potentially causing downtime or instability in systems relying on the NATS server for messaging.'}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects NATS Server deployments that use WebSockets and expose the network port to untrusted endpoints. Detection involves monitoring for abnormal memory consumption or server process terminations caused by excessive memory use during WebSocket message decompression.
Since the vulnerability is related to decompression of compressed WebSocket frames, you can detect potential exploitation attempts by monitoring WebSocket traffic for unusually large compressed messages or by checking server logs for errors related to decompression failures or unexpected disconnects.
Specific commands are not provided in the available resources, but general approaches include:
- Use network monitoring tools (e.g., tcpdump, Wireshark) to capture WebSocket traffic and analyze for large or suspicious compressed frames.
- Check NATS server logs for errors related to decompression limits or client disconnects caused by exceeding maximum payload sizes.
- Monitor system memory usage and process restarts of the NATS server to identify potential denial-of-service conditions.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the NATS server to a fixed version that includes the patch for CVE-2026-27571.
- Upgrade to NATS server version 2.11.12 or later, or version 2.12.3 or later, where the decompression size limit is enforced to prevent excessive memory consumption.
Additionally, consider the following steps:
- Restrict exposure of the WebSocket network port to trusted networks only, avoiding exposure to untrusted endpoints.
- Implement network-level controls such as firewalls or intrusion detection systems to monitor and block suspicious WebSocket traffic.
- Monitor server resource usage and logs to detect and respond to potential exploitation attempts.