NATS-Server WebSocket Compression Bomb Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in NATS-Server versions prior to 2.11.12 and 2.12.3. The issue arises in the WebSocket handling of NATS messages, where compressed messages are processed without proper memory consumption limits. This flaw allows an attacker to exploit the WebSocket compression negotiation, which occurs before authentication, to create a 'compression bomb' that causes excessive memory use. The resulting strain often leads the operating system to terminate the server process.

Impact

Exploitation of this vulnerability causes excessive memory consumption, often leading to the operating system terminating the NATS-Server process.

Reproduction

The vulnerability can be reproduced by sending a WebSocket message that uses negotiated compression to create a compression bomb. This can be done by connecting to a NATS-Server instance that is running a vulnerable version and has WebSockets enabled, then sending a carefully crafted compressed message that exploits the lack of memory consumption limits.

Remediation

Users can upgrade to NATS-Server versions 2.11.12 or 2.12.3, both of which include the necessary fix. Instructions for downloading these versions are available on the NATS-Server GitHub Releases page.