CVE-2026-27889
WebSockets Frame Validation Flaw Causes NATS-Server Panic
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | nats-server | From 2.12.0 (inc) to 2.12.5 (exc) |
| linuxfoundation | nats-server | From 2.2.0 (inc) to 2.11.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an unauthenticated remote attacker to cause a denial of service by crashing the NATS server when using WebSockets. While it does not directly impact confidentiality or integrity of data, the resulting server crash can disrupt availability of services relying on NATS Server, including cloud, on-premise, IoT, and edge computing environments.
Disruptions to availability can affect compliance with standards and regulations such as GDPR and HIPAA, which require maintaining availability and resilience of systems processing personal or sensitive data. A denial of service could lead to service outages, loss of in-flight acknowledgments, and disruption of clustered deployments, potentially impacting the ability to meet these regulatory requirements.
Mitigations include restricting access to the WebSockets port or upgrading to fixed versions, which help maintain compliance by reducing the risk of service disruption.
Can you explain this vulnerability to me?
CVE-2026-27889 is a vulnerability in the NATS Server, a high-performance messaging system used in cloud, on-premise, IoT, and edge computing environments. The issue occurs in the handling of WebSocket frames before client authentication. Specifically, the server fails to properly validate the 64-bit extended payload length field in WebSocket frames, allowing a malicious client to send a specially crafted frame that triggers a server panic.
This missing sanity check causes the server to interpret a large payload length as a negative number, leading to a slice bounds out-of-range panic and crashing the entire NATS server process. The vulnerability affects versions from 2.2.0 up to versions prior to 2.11.14 and 2.12.5.
The vulnerability is exploitable by anyone able to connect to the WebSockets port, as it happens before authentication. The definitive fix is to upgrade to patched versions 2.11.14, 2.12.5, or later. Workarounds include restricting access to the WebSockets port or limiting exposure to untrusted endpoints.
How can this vulnerability impact me? :
This vulnerability allows a remote attacker to cause a denial of service (DoS) by crashing the entire NATS server with a single crafted WebSocket frame sent before authentication.
- The server process terminates unexpectedly, disconnecting all clients including NATS clients, WebSocket clients, MQTT-over-WebSocket clients, cluster routes, gateways, and leaf nodes.
- JetStream in-flight acknowledgments are lost, potentially causing message delivery issues.
- Raft consensus in clustered deployments is disrupted, affecting cluster stability and availability.
The attack requires only a single unauthenticated TCP connection to the WebSocket port and a small amount of malicious data, making it easy to exploit if the WebSocket port is exposed to untrusted networks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unexpected server crashes or panics in the NATS Server logs, especially those related to WebSocket frame processing before authentication.
Since the vulnerability is triggered by a specially crafted WebSocket frame, detection can involve capturing and analyzing WebSocket traffic on the exposed port for abnormal or malformed frames with suspicious 64-bit extended payload length fields.
Specific commands are not provided in the resources, but general network monitoring tools like tcpdump or Wireshark can be used to capture WebSocket traffic on the server's WebSocket port. For example:
- tcpdump -i <interface> port <websocket_port> -w capture.pcap
- Use Wireshark to analyze the capture.pcap file for WebSocket frames with unusual payload length fields.
Additionally, monitoring the NATS Server process for crashes or restarts can indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the WebSocket port to trusted endpoints only, or disabling WebSocket support if it is not required.
These measures reduce the attack surface by preventing untrusted clients from connecting and sending malicious frames.
The definitive fix is to upgrade the NATS Server to version 2.11.14, 2.12.5, or later, where the vulnerability has been patched by adding proper validation of the 64-bit extended payload length field.