NATS-Server is a high-performance messaging server used in cloud and edge native environments. It supports WebSocket connections where message compression is negotiated before authentication. In affected versions prior to 2.11.12 and between 2.12.0-RC.1 and 2.12.3, the server bounded the memory size of a NATS message but failed to independently limit the memory consumption of the decompression stream when constructing the message. This improper handling of highly compressed data (CWE-409) allows an attacker to craft a compression bomb—a small compressed payload that expands to a very large size upon decompression. When such a payload is sent over WebSockets, the server attempts to decompress it without sufficient bounds, leading to excessive memory allocation. This can exhaust system resources and cause the operating system to terminate the nats-server process, resulting in denial of service (CWE-770). Since compression negotiation happens before authentication, an unauthenticated attacker can exploit this vulnerability if the WebSocket port is exposed to untrusted networks. The fix implemented in versions 2.11.12 and 2.12.3 adds strict bounds on decompression size, causing decompression to fail early if the message exceeds acceptable limits, preventing resource exhaustion. This vulnerability does not affect non-WebSocket deployments or those not exposing the WebSocket port externally. No public exploits have been observed, but the vulnerability has a CVSS v3.1 score of 5.9, reflecting medium severity with network attack vector, high attack complexity, no privileges required, no user interaction, and impact limited to availability.

The primary impact of this vulnerability is denial of service through resource exhaustion. An attacker can cause the nats-server process to consume excessive memory by sending a crafted compression bomb over WebSockets, leading to process termination by the operating system. This disrupts messaging services relying on nats-server, potentially affecting critical cloud-native and edge-native applications that depend on reliable message delivery. The availability impact can cascade to dependent systems and services, causing outages or degraded performance. Since exploitation does not require authentication, any exposed WebSocket endpoint is at risk from remote attackers. However, confidentiality and integrity are not impacted by this vulnerability. Organizations running nats-server with WebSocket support exposed to untrusted networks face increased risk of denial of service attacks, which could be leveraged as part of larger multi-vector attacks or to cause operational disruptions.

Organizations should upgrade affected nats-server deployments to version 2.11.12 or 2.12.3 or later, where the decompression bounds fix is implemented. If immediate upgrade is not possible, mitigate risk by restricting access to the WebSocket port using network-level controls such as firewalls or VPNs to limit exposure to trusted clients only. Disable WebSocket support if it is not required. Implement monitoring and alerting on memory usage and process restarts of nats-server to detect potential exploitation attempts early. Consider deploying rate limiting or Web Application Firewall (WAF) rules to detect and block suspiciously large or compressed WebSocket messages. Review and harden authentication and network segmentation to reduce attack surface. Regularly audit and update dependencies to incorporate security patches promptly.