CVE-2026-58250

Summary

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.12.8 and 2.11.17, an unauthenticated peer with network access to a leafnode listener with compression enabled could crash the server during the pre-authentication leafnode handshake by sending repeated leafnode INFO protocol messages before authentication and account setup completed. This issue is fixed in versions 2.12.8 and 2.11.17.

Affected Software

VendorProductVersion RangeStatus
nats-ionats-server< 2.11.17affected
nats-ionats-server>= 2.12.0-preview.1, < 2.12.8affected

Weaknesses

  • CWE-476: CWE-476: NULL Pointer Dereference

References