CVE-2026-33219
Received Received - Intake
Unbounded Memory Consumption via WebSockets in NATS-Server

Publication date: 2026-03-25

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33219
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linuxfoundation nats-server From 2.12.0 (inc) to 2.12.6 (exc)
linuxfoundation nats-server to 2.11.15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33219 is a moderate severity vulnerability affecting the nats-server, a high-performance open-source messaging server used in cloud, on-premise, IoT, and edge computing environments.

The vulnerability occurs in the WebSockets client service of nats-server, which allows a malicious client connecting to the WebSockets port to cause unbounded memory consumption on the server before authentication by sending a large volume of data.

Unlike a related earlier vulnerability (CVE-2026-27571) that involved a compression bomb, this issue does not rely on compression but still requires significant client bandwidth to exploit.

The attack vector is network-based, requires no privileges or user interaction, and impacts availability by potentially causing denial of service due to resource exhaustion.

The vulnerability affects all nats-server versions up to and including v2.12.5 and v2.11.14, and was fixed in versions v2.12.6 and v2.11.15.

A workaround is to disable WebSockets support if it is not required for the deployment.

Impact Analysis

This vulnerability can impact you by causing unbounded memory consumption on the nats-server when a malicious client connects to the WebSockets port and sends a large amount of data before authentication.

The excessive memory use can lead to resource exhaustion, potentially resulting in a denial of service (DoS) condition where the server becomes unavailable.

There is no impact on confidentiality or integrity, but availability of the service can be disrupted.

Exploitation requires significant client bandwidth but no privileges or user interaction.

If your deployment uses WebSockets and exposes the WebSockets port to untrusted networks, you are at risk.

Mitigation includes upgrading to fixed versions or disabling WebSockets if not needed.

Detection Guidance

This vulnerability involves unbounded memory consumption on the nats-server WebSockets port before authentication when a malicious client sends a large volume of data. Detection involves monitoring for unusual or excessive memory usage by the nats-server process, especially on the WebSockets port.

Network-level detection can include monitoring traffic on the WebSockets port for unusually large or sustained data transfers from unauthenticated clients.

Specific commands are not provided in the available resources, but general approaches include:

  • Using system monitoring tools like 'top', 'htop', or 'ps' to observe memory usage of the nats-server process.
  • Using network monitoring tools such as 'tcpdump' or 'wireshark' to capture and analyze WebSockets traffic for abnormal data volumes.
  • Checking server logs for repeated or large WebSockets connection attempts before authentication.
Mitigation Strategies

The primary mitigation is to upgrade the nats-server to versions 2.11.15 or 2.12.6 and later, which contain fixes for this vulnerability.

If upgrading immediately is not possible, a recommended workaround is to disable WebSockets support on the nats-server if it is not required for your deployment.

Additionally, restricting network exposure of the WebSockets port to trusted clients only can reduce the risk of exploitation.

Compliance Impact

This vulnerability causes a denial-of-service (DoS) condition by allowing unbounded memory consumption on the nats-server before authentication, impacting availability but not confidentiality or integrity.

Since the vulnerability does not affect confidentiality or integrity of data, it does not directly lead to data breaches or unauthorized data access that would typically violate standards like GDPR or HIPAA.

However, the availability impact could affect service continuity, which may have indirect compliance implications depending on the regulatory requirements for uptime and service reliability.

Mitigation involves upgrading to fixed versions or disabling WebSockets if not required, which helps maintain compliance by reducing risk of service disruption.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33219. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart