Security: nats-io/nats-server
Security
No security policy detected
This project has not set up a SECURITY.md file yet.
Report a vulnerability-
Remote crash via integer overflow in Connz paginationGHSA-q59r-vq66-pxc2 published
Jun 29, 2026 by neilalexanderHigh -
MQTT-over-WebSocket Path Can Crash WebSocket-Only JetStream Servers Before MQTT Is EnabledGHSA-p957-7v2w-g93g published
Jun 29, 2026 by neilalexanderModerate -
MQTT retained and QoS replay bypass subscribe deny filtersGHSA-7qmq-8cc4-hxwg published
Jun 29, 2026 by neilalexanderModerate -
MQTT partial CONNECT packets can exhaust pre-auth memoryGHSA-r72h-j7qq-v6qg published
Jun 29, 2026 by neilalexanderHigh -
`no_auth_user` pre-CONNECT fast path bypasses user connection restrictionsGHSA-hmmp-q8cx-v964 published
Jun 29, 2026 by neilalexanderModerate -
Pre-auth panic and server hang via malformed JWT issuer (missing Ed25519 length check in nkeys)GHSA-g33f-6538-grxh published
Jun 29, 2026 by neilalexanderHigh -
MQTT SUBSCRIBE Protocol Injection via Leaf Node/Route Forwarding allows arbitrary NATS command injection (CWE-74)GHSA-qrcv-3558-gj4f published
Jun 29, 2026 by neilalexanderHigh -
MQTT subscribe ACL bypass via $MQTT.deliver.pubrel prefix (incomplete fix for CVE-2026-33217)GHSA-4g68-3pwx-5vfj published
Jun 29, 2026 by neilalexanderModerate -
Incomplete fix for CVE-2026-33249: Leaf node connections bypass Nats-Trace-Dest permission checkGHSA-p3j5-5hrq-p75h published
Jun 29, 2026 by neilalexanderModerate -
Pre-auth server crash via double INFO in leafnode handshake — incomplete fix for CVE-2026-29785 and CVE-2026-33218GHSA-3g5q-cfh2-cq67 published
Jun 29, 2026 by neilalexanderHigh
Learn more about advisories related to nats-io/nats-server in the GitHub Advisory Database