NATS-Server is a high-performance messaging server used in cloud and edge native environments. It supports WebSocket connections where message compression is negotiated before authentication. In affected versions prior to 2.11.12 and between 2.12.0-RC.1 and 2.12.3, the server bounded the memory size of a NATS message but failed to independently limit the memory consumed by the decompression stream during message construction. An attacker can exploit this by sending a specially crafted compressed message (a compression bomb) that decompresses to a very large size, causing excessive memory allocation. This can overwhelm the server's resources, often triggering the operating system to terminate the nats-server process, resulting in denial of service. Since compression negotiation happens before authentication, attackers do not need valid credentials to exploit this vulnerability. The fix introduced in versions 2.11.12 and 2.12.3 enforces strict bounds on decompression size, causing decompression to fail early if the message exceeds allowed limits, thus preventing memory exhaustion. This vulnerability is tracked as CWE-409 (Improper Handling of Highly Compressed Data) and CWE-770 (Allocation of Resources Without Limits or Throttling). The CVSS v3.1 score is 5.9 (medium), reflecting network attack vector, high attack complexity, no privileges required, no user interaction, and impact limited to availability.

The primary impact of this vulnerability is denial of service (DoS) due to resource exhaustion. Organizations running nats-server with WebSocket support exposed to untrusted networks risk server crashes and service interruptions if targeted by compression bomb attacks. This can degrade the availability of critical messaging infrastructure, affecting applications relying on real-time communication, event streaming, or microservices coordination. Since exploitation requires no authentication, attackers can launch attacks from external sources without prior access. The disruption could impact cloud-native platforms, edge computing deployments, and any service architectures dependent on NATS messaging. While confidentiality and integrity are not affected, the availability impact can cause operational downtime, loss of business continuity, and potential cascading failures in dependent systems.

Organizations should upgrade affected nats-server deployments to versions 2.11.12 or 2.12.3 or later, where the decompression bounds are properly enforced. If immediate upgrade is not feasible, administrators should consider disabling WebSocket support or restricting WebSocket access to trusted internal networks only, preventing exposure to untrusted endpoints. Network-level protections such as Web Application Firewalls (WAFs) or intrusion prevention systems (IPS) can be configured to detect and block unusually large or suspicious compressed WebSocket frames. Monitoring memory usage and setting resource limits on the nats-server process can help detect and mitigate ongoing attacks. Additionally, implementing rate limiting on incoming WebSocket connections and messages can reduce the risk of resource exhaustion. Regularly auditing and reviewing server exposure and configurations to minimize attack surface is recommended.