Primary

Context

NATS-Server Pre-Authentication Denial-of-Service Vulnerability in Leafnode Handling

Vulnerability

Patched

A denial-of-service vulnerability has been identified in NATS-Server versions prior to 2.12.6 and 2.11.15. The issue arises in the leafnode handling, where a client can crash the server by sending a malformed message before authentication. This vulnerability can be exploited by any client that can connect to the leafnode port.

Impact

Exploitation of this vulnerability leads to a server panic, causing the NATS server to crash.

Remediation

Users can upgrade to NATS-Server versions 2.12.6 or 2.11.15. If an upgrade is not possible, leafnode support can be disabled or network connections to the leafnode port can be restricted, if feasible without disrupting service.

Added: Mar 25, 2026, 10:27 PM

Updated: Mar 25, 2026, 10:27 PM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

2.5

exploitability

7.4

remediation

8.3

relevance

4.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

2.5

exploitability

7.4

remediation

8.3

relevance

4.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

NATS-Server Pre-Authentication Denial-of-Service Vulnerability in Leafnode Handling

Vulnerability

Impact

Remediation

Affected Products

NATS-Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating