CVE-2026-33218
Denial of Service via Malformed Leafnode Message in NATS-Server
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | nats-server | From 2.12.0 (inc) to 2.12.6 (exc) |
| linuxfoundation | nats-server | to 2.11.15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the NATS-Server, a high-performance messaging server used in cloud and edge native systems. Before versions 2.11.15 and 2.12.6, a client connecting to the leafnode port could send a specially malformed message before authentication, causing the server to crash.
The issue is fixed in versions 2.11.15 and 2.12.6. As a temporary workaround, users can disable leafnode support if it is not needed or restrict network access to the leafnode port to prevent exploitation.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service by crashing the NATS-Server when a malformed message is sent to the leafnode port pre-authentication. This means the server becomes unavailable, potentially disrupting messaging services that rely on it.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade your NATS-Server to version 2.11.15 or 2.12.6 or later, which contain the fix.
As a workaround, if upgrading is not immediately possible, you can disable leafnode support if it is not needed.
Alternatively, restrict network connections to the leafnode port to prevent untrusted clients from connecting, provided this does not compromise your service.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes a denial of service by crashing the nats-server, impacting availability but not confidentiality or integrity.
Since the vulnerability does not affect confidentiality or integrity of data, it does not directly expose personal or sensitive information.
However, the availability impact could affect compliance with standards that require system availability and resilience, such as HIPAA's requirements for availability of electronic protected health information (ePHI).
Organizations relying on nats-server should consider the risk of service disruption and apply mitigations to maintain compliance with availability requirements in regulations like GDPR and HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific detection method or command provided in the available resources to identify this vulnerability on your network or system.
However, general mitigation advice includes disabling leafnode support if it is not needed or restricting network access to the leafnode port to trusted sources.