NATS-Server Leafnode Pre-Authentication Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in NATS-Server versions 2 prior to 2.11.14 and 2.12.5. When the leafnode configuration is enabled, which is not the default, and compression is active, a remote NATS server can cause the NATS-Server to crash by triggering a panic. This issue occurs before authentication, taking advantage of the default compression setting used with leafnodes. The vulnerability can be exploited by sending leafnode subscription commands without prior authentication, which leads to a server panic and crash.

Impact

Exploitation of this vulnerability causes the NATS-Server to crash, leading to a denial-of-service condition where the server becomes unresponsive and unavailable to handle requests or connections.

Reproduction

The vulnerability can be reproduced by setting up a NATS-Server instance with the leafnode configuration enabled and compression turned on. Once the server is running, a connection can be established that bypasses authentication, and leafnode subscription commands can be sent. The server will panic and crash when these commands are processed before the connection has been authenticated.

Remediation

Users can upgrade to NATS-Server versions 2.11.14 or 2.12.5, where this vulnerability has been fixed. Alternatively, if an immediate upgrade is not possible, compression can be disabled on the leafnode port as a temporary workaround.