CVE-2026-33219
Unbounded Memory Consumption via WebSockets in NATS-Server
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | nats-server | From 2.12.0 (inc) to 2.12.6 (exc) |
| linuxfoundation | nats-server | to 2.11.15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33219 is a moderate severity vulnerability affecting the nats-server, a high-performance open-source messaging server used in cloud, on-premise, IoT, and edge computing environments.
The vulnerability occurs in the WebSockets client service of nats-server, which allows a malicious client connecting to the WebSockets port to cause unbounded memory consumption on the server before authentication by sending a large volume of data.
Unlike a related earlier vulnerability (CVE-2026-27571) that involved a compression bomb, this issue does not rely on compression but still requires significant client bandwidth to exploit.
The attack vector is network-based, requires no privileges or user interaction, and impacts availability by potentially causing denial of service due to resource exhaustion.
The vulnerability affects all nats-server versions up to and including v2.12.5 and v2.11.14, and was fixed in versions v2.12.6 and v2.11.15.
A workaround is to disable WebSockets support if it is not required for the deployment.
How can this vulnerability impact me? :
This vulnerability can impact you by causing unbounded memory consumption on the nats-server when a malicious client connects to the WebSockets port and sends a large amount of data before authentication.
The excessive memory use can lead to resource exhaustion, potentially resulting in a denial of service (DoS) condition where the server becomes unavailable.
There is no impact on confidentiality or integrity, but availability of the service can be disrupted.
Exploitation requires significant client bandwidth but no privileges or user interaction.
If your deployment uses WebSockets and exposes the WebSockets port to untrusted networks, you are at risk.
Mitigation includes upgrading to fixed versions or disabling WebSockets if not needed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unbounded memory consumption on the nats-server WebSockets port before authentication when a malicious client sends a large volume of data. Detection involves monitoring for unusual or excessive memory usage by the nats-server process, especially on the WebSockets port.
Network-level detection can include monitoring traffic on the WebSockets port for unusually large or sustained data transfers from unauthenticated clients.
Specific commands are not provided in the available resources, but general approaches include:
- Using system monitoring tools like 'top', 'htop', or 'ps' to observe memory usage of the nats-server process.
- Using network monitoring tools such as 'tcpdump' or 'wireshark' to capture and analyze WebSockets traffic for abnormal data volumes.
- Checking server logs for repeated or large WebSockets connection attempts before authentication.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the nats-server to versions 2.11.15 or 2.12.6 and later, which contain fixes for this vulnerability.
If upgrading immediately is not possible, a recommended workaround is to disable WebSockets support on the nats-server if it is not required for your deployment.
Additionally, restricting network exposure of the WebSockets port to trusted clients only can reduce the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes a denial-of-service (DoS) condition by allowing unbounded memory consumption on the nats-server before authentication, impacting availability but not confidentiality or integrity.
Since the vulnerability does not affect confidentiality or integrity of data, it does not directly lead to data breaches or unauthorized data access that would typically violate standards like GDPR or HIPAA.
However, the availability impact could affect service continuity, which may have indirect compliance implications depending on the regulatory requirements for uptime and service reliability.
Mitigation involves upgrading to fixed versions or disabling WebSockets if not required, which helps maintain compliance by reducing risk of service disruption.