CVE-2026-29785
Denial of Service in NATS-Server Leafnode via Compression Panic
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | nats-server | From 2.12.0 (inc) to 2.12.5 (exc) |
| linuxfoundation | nats-server | to 2.11.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-29785 is a vulnerability in the NATS.io server that affects versions prior to 2.11.14 and 2.12.5 when the "leafnode" feature is enabled with compression turned on (which is the default for leafnodes). A malicious remote server connecting as a leafnode can exploit the compression negotiation process to trigger a server panic, causing the NATS server to crash before any authentication occurs.
This vulnerability allows anyone who can connect to the leafnode port to cause a denial of service by crashing the server, without needing any privileges or user interaction.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) by crashing the NATS server, leading to service disruption and loss of availability.
- The attack can be performed remotely over the network with low complexity.
- No privileges or user interaction are required to exploit this vulnerability.
- The impact is limited to availability; confidentiality and integrity are not affected.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when the NATS server is configured with the leafnode feature enabled and compression is active on the leafnode port (default port 7422). Detection involves checking if your NATS server is running a vulnerable version prior to 2.11.14 or 2.12.5, and if leafnodes with compression enabled are in use.
You can verify the NATS server version by running a command like:
- nats-server -version
To check if leafnodes are enabled and compression is active, inspect your NATS server configuration file for a leafnodes section similar to:
- leafnodes { port: 7422 compression: on }
Additionally, monitoring server logs for panic or crash messages related to leafnode connections or compression negotiation can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade your NATS server to version 2.11.14, 2.12.5, or later, where this vulnerability is fixed.
If upgrading immediately is not possible, you can apply a workaround by disabling compression on the leafnode port in your NATS server configuration.
- Configure the leafnodes section as follows to disable compression:
- leafnodes { port: 7422 compression: off }
This prevents the compression negotiation that triggers the server panic and crash.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability results in a denial-of-service (DoS) condition by crashing the NATS server when the leafnode feature with compression enabled is exploited. It affects availability only and does not impact confidentiality or integrity of data.
Since the vulnerability does not compromise confidentiality or integrity, it does not directly expose personal or sensitive data, which are primary concerns under standards like GDPR or HIPAA.
However, the availability impact caused by the server crash could affect service continuity, which may have indirect compliance implications depending on the criticality of the service and contractual or regulatory uptime requirements.
Organizations relying on NATS server with leafnode enabled should mitigate this vulnerability by upgrading to fixed versions or disabling compression to maintain service availability and thus support compliance with availability requirements in relevant standards.