{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29785", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T16:26:02.899Z", "datePublished": "2026-03-25T19:38:44.587Z", "dateUpdated": "2026-03-25T19:40:51.282Z"}, "containers": {"cna": {"title": "NATS Server panic via malicious compression on leafnode port", "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "lang": "en", "description": "CWE-476: NULL Pointer Dereference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-52jh-2xxh-pwh6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-52jh-2xxh-pwh6"}, {"name": "https://github.com/nats-io/nats-server/commit/a1488de6f2ba6e666aef0f9cce0016f7f167d6a8", "tags": ["x_refsource_MISC"], "url": "https://github.com/nats-io/nats-server/commit/a1488de6f2ba6e666aef0f9cce0016f7f167d6a8"}, {"name": "https://advisories.nats.io/CVE/secnote-2026-04.txt", "tags": ["x_refsource_MISC"], "url": "https://advisories.nats.io/CVE/secnote-2026-04.txt"}], "affected": [{"vendor": "nats-io", "product": "nats-server", "versions": [{"version": "< 2.11.14", "status": "affected"}, {"version": ">= 2.12.0-RC.1, < 2.12.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T19:40:51.282Z"}, "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the \"leafnode\" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port."}], "source": {"advisory": "GHSA-52jh-2xxh-pwh6", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the \"leafnode\" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port."}], "id": "CVE-2026-29785", "lastModified": "2026-03-25T20:16:30.373", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-25T20:16:30.373", "references": [{"source": "security-advisories@github.com", "url": "https://advisories.nats.io/CVE/secnote-2026-04.txt"}, {"source": "security-advisories@github.com", "url": "https://github.com/nats-io/nats-server/commit/a1488de6f2ba6e666aef0f9cce0016f7f167d6a8"}, {"source": "security-advisories@github.com", "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-52jh-2xxh-pwh6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/nats-io/nats-server: NATS-Server: Denial of Service via leafnode compression", "id": "2451444", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451444"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-409", "details": ["A flaw was found in NATS-Server. A remote attacker can exploit this vulnerability by connecting to a NATS-Server instance where the 'leafnode' configuration is enabled and compression is active. This pre-authentication flaw allows the attacker to trigger a server crash, resulting in a Denial of Service (DoS) for the affected system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-29785", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Affected", "package_name": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/oc-mirror-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-25T19:38:44Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-29785\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-29785\nhttps://advisories.nats.io/CVE/secnote-2026-04.txt\nhttps://github.com/nats-io/nats-server/commit/a1488de6f2ba6e666aef0f9cce0016f7f167d6a8\nhttps://github.com/nats-io/nats-server/security/advisories/GHSA-52jh-2xxh-pwh6"], "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-03-25T21:29:36.896557+00:00", "value": {"mitigation_remediation": ["Upgrade to nats-server version 2.11.14 or newer (including 2.12.5).", "If upgrade is not possible, disable compression on the leafnode port as a temporary workaround.", "Verify that the leafnode configuration is correctly secured and monitor server logs for crash attempts."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the nats\u2011io nats\u2011server product. Any deployment using leafnode functionality, which defaults to compression enabled, is susceptible if it runs a version older than 2.11.14 or 2.12.5. Versions 2.11.14 and 2.12.5 contain the fix.", "description_and_impact": "NATS-Server prior to versions 2.11.14 and 2.12.5 can crash when a client connects via the leafnode configuration. A malformed compressed payload sent before authentication leads to a panic, resulting in a denial\u2011of\u2011service condition. The weakness is a null\u2011pointer dereference reflected by CWE\u2011476.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity. No EPSS data is available, and the issue is not listed in CISA KEV. Because the exploit does not require prior authentication and leverages the default compression setting on the leafnode port, the attack vector is likely remote network. An attacker only needs the ability to connect to the exposed leafnode port to trigger the crash."}}}}, "created": "2026-03-25T21:46:24.067816+00:00", "updated": "2026-03-25T21:46:24.067840+00:00", "vendors": []}