CVE-2026-27571

{"id": "CVE-2026-27571", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-27571", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T21:06:37.631926Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "nats-io", "product": "nats-server", "versions": [{"status": "affected", "version": "< 2.11.12"}, {"status": "affected", "version": ">= 2.12.0-RC.1, < 2.12.3"}]}]}], "published": "2026-02-24T17:29:03.393", "references": [{"url": "https://github.com/nats-io/nats-server/commit/f77fb7c4535e6727cc1a2899cd8e6bbdd8ba2017", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nats-io/nats-server/releases/tag/v2.11.12", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nats-io/nats-server/releases/tag/v2.12.3", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-qrvq-68c2-7grw", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-409"}, {"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation bound the memory size of a NATS message but did not independently bound the memory consumption of the memory stream when constructing a NATS message which might then fail validation for size reasons. An attacker can use a compression bomb to cause excessive memory consumption, often resulting in the operating system terminating the server process. The use of compression is negotiated before authentication, so this does not require valid NATS credentials to exploit. The fix, present in versions 2.11.2 and 2.12.3, was to bounds the decompression to fail once the message was too large, instead of continuing on. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points."}, {"lang": "es", "value": "NATS-Server es un servidor de alto rendimiento para NATS.io, un sistema de mensajer\u00eda nativo de la nube y el per\u00edmetro (edge). El manejo de mensajes NATS por WebSockets gestiona mensajes comprimidos a trav\u00e9s de la compresi\u00f3n negociada por WebSockets. Antes de las versiones 2.11.2 y 2.12.3, la implementaci\u00f3n limitaba el tama\u00f1o de la memoria de un mensaje NATS, pero no limitaba de forma independiente el consumo de memoria del flujo de memoria al construir un mensaje NATS que luego podr\u00eda fallar la validaci\u00f3n por razones de tama\u00f1o. Un atacante puede usar una bomba de compresi\u00f3n para provocar un consumo excesivo de memoria, lo que a menudo resulta en que el sistema operativo termine el proceso del servidor. El uso de la compresi\u00f3n se negocia antes de la autenticaci\u00f3n, por lo que esto no requiere credenciales NATS v\u00e1lidas para explotarlo. La soluci\u00f3n, presente en las versiones 2.11.2 y 2.12.3, fue establecer l\u00edmites para que la descompresi\u00f3n fallara una vez que el mensaje fuera demasiado grande, en lugar de continuar. La vulnerabilidad solo afecta a las implementaciones que usan WebSockets y que exponen el puerto de red a endpoints no confiables."}], "lastModified": "2026-06-17T10:27:19.650", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "84A02A21-D310-4BAA-BE58-472410934027", "versionEndExcluding": "2.11.12"}, {"criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "82EF19F0-15AD-422C-86C7-0D669060AC6F", "versionEndExcluding": "2.12.3", "versionStartIncluding": "2.12.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}