CVE-2026-29785
Received Received - Intake
Denial of Service in NATS-Server Leafnode via Compression Panic

Publication date: 2026-03-25

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29785
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linuxfoundation nats-server From 2.12.0 (inc) to 2.12.5 (exc)
linuxfoundation nats-server to 2.11.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-29785 is a vulnerability in the NATS.io server that affects versions prior to 2.11.14 and 2.12.5 when the "leafnode" feature is enabled with compression turned on (which is the default for leafnodes). A malicious remote server connecting as a leafnode can exploit the compression negotiation process to trigger a server panic, causing the NATS server to crash before any authentication occurs.

This vulnerability allows anyone who can connect to the leafnode port to cause a denial of service by crashing the server, without needing any privileges or user interaction.

Impact Analysis

This vulnerability can cause a denial of service (DoS) by crashing the NATS server, leading to service disruption and loss of availability.

  • The attack can be performed remotely over the network with low complexity.
  • No privileges or user interaction are required to exploit this vulnerability.
  • The impact is limited to availability; confidentiality and integrity are not affected.
Detection Guidance

This vulnerability occurs when the NATS server is configured with the leafnode feature enabled and compression is active on the leafnode port (default port 7422). Detection involves checking if your NATS server is running a vulnerable version prior to 2.11.14 or 2.12.5, and if leafnodes with compression enabled are in use.

You can verify the NATS server version by running a command like:

  • nats-server -version

To check if leafnodes are enabled and compression is active, inspect your NATS server configuration file for a leafnodes section similar to:

  • leafnodes { port: 7422 compression: on }

Additionally, monitoring server logs for panic or crash messages related to leafnode connections or compression negotiation can help detect exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade your NATS server to version 2.11.14, 2.12.5, or later, where this vulnerability is fixed.

If upgrading immediately is not possible, you can apply a workaround by disabling compression on the leafnode port in your NATS server configuration.

  • Configure the leafnodes section as follows to disable compression:
  • leafnodes { port: 7422 compression: off }

This prevents the compression negotiation that triggers the server panic and crash.

Compliance Impact

This vulnerability results in a denial-of-service (DoS) condition by crashing the NATS server when the leafnode feature with compression enabled is exploited. It affects availability only and does not impact confidentiality or integrity of data.

Since the vulnerability does not compromise confidentiality or integrity, it does not directly expose personal or sensitive data, which are primary concerns under standards like GDPR or HIPAA.

However, the availability impact caused by the server crash could affect service continuity, which may have indirect compliance implications depending on the criticality of the service and contractual or regulatory uptime requirements.

Organizations relying on NATS server with leafnode enabled should mitigate this vulnerability by upgrading to fixed versions or disabling compression to maintain service availability and thus support compliance with availability requirements in relevant standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29785. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart