CVE-2026-29785
- Source
- https://cve.org/CVERecord?id=CVE-2026-29785
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29785.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-29785
- Aliases
- Downstream
- Related
- Published
- 2026-03-25T19:38:44.587Z
- Modified
- 2026-04-10T05:41:45.700826Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- NATS Server panic via malicious compression on leafnode port
- Details
-
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29785.json", "cwe_ids": [ "CWE-476" ], "cna_assigner": "GitHub_M" }- References
-
- https://advisories.nats.io/CVE/secnote-2026-04.txt
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29785.json
- https://github.com/nats-io/nats-server/commit/a1488de6f2ba6e666aef0f9cce0016f7f167d6a8
- https://github.com/nats-io/nats-server/security/advisories/GHSA-52jh-2xxh-pwh6
- https://nvd.nist.gov/vuln/detail/CVE-2026-29785
Affected packages
Git / github.com/nats-io/nats-server
Affected ranges
Affected versions
v0.*
v0.5.1
v0.5.2
v0.5.4
v0.5.6
v0.6.0
v0.6.2
v0.6.4
v0.6.6
v0.6.8
v0.7.0
v0.7.2
v0.8.0
v0.8.1
v0.9.2
v0.9.4
v0.9.6
v1.*
v1.0.0
v1.0.2
v1.0.4
v1.0.6
v1.1.0
v1.2.0
v1.3.0
v2.*
v2.0.0
v2.0.0-RC14
v2.0.0-RC19
v2.0.2
v2.0.4
v2.1.0
v2.1.2
v2.1.4
v2.1.6
v2.1.7
v2.10.0
v2.10.1
v2.10.2
v2.10.3
v2.11.0
v2.11.0-RC.1
v2.11.0-RC.2
v2.11.0-RC.3
v2.11.0-RC.4
v2.11.0-RC.5
v2.11.10
v2.11.10-RC.1
v2.11.11
v2.11.11-RC.1
v2.11.11-RC.2
v2.11.11-RC.3
v2.11.11-RC.4
v2.11.12
v2.11.12-RC.1
v2.11.12-RC.2
v2.11.12-RC.3
v2.11.12-RC.4
v2.11.12-RC.5
v2.11.12-RC.6
v2.11.12-RC.7
v2.11.2
v2.11.2-RC.1
v2.11.2-RC.2
v2.11.2-RC.3
v2.11.3
v2.11.3-RC.1
v2.11.3-RC.2
v2.11.4
v2.11.4-RC.1
v2.11.4-RC.2
v2.11.4-RC.3
v2.11.5
v2.11.5-RC.1
v2.11.5-RC.2
v2.11.5-RC.3
v2.11.5-RC.4
v2.11.6
v2.11.6-RC.1
v2.11.7
v2.11.7-RC.1
v2.11.7-RC.2
v2.11.7-RC.3
v2.11.8
v2.11.8-RC.1
v2.11.9
v2.11.9-RC.1
v2.11.9-RC.2
v2.11.9-RC.3
v2.12.0
v2.12.0-RC.1
v2.12.0-RC.2
v2.12.0-RC.3
v2.12.0-RC.4
v2.12.0-RC.5
v2.12.0-RC.6
v2.12.1
v2.12.1-RC.1
v2.12.1-RC.2
v2.12.1-RC.3
v2.12.1-RC.4
v2.12.1-RC.5
v2.12.2
v2.12.2-RC.1
v2.12.2-RC.2
v2.12.2-RC.3
v2.12.2-RC.4
v2.12.3
v2.12.3-RC.1
v2.12.3-RC.2
v2.12.3-RC.3
v2.12.3-RC.4
v2.12.3-RC.5
v2.12.4
v2.12.4-RC.1
v2.12.4-RC.2
v2.12.4-RC.3
v2.12.4-RC.4
v2.12.4-RC.5
v2.12.4-RC.6
v2.12.5-RC.1
v2.12.5-RC.2
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.4.0
v2.5.0
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.7.0
v2.7.0-rc1
v2.7.0-rc2
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.9.0
v2.9.1
v2.9.10
v2.9.11
v2.9.12
v2.9.14
v2.9.15
v2.9.16
v2.9.17
v2.9.18
v2.9.19
v2.9.2
v2.9.20
v2.9.21
v2.9.22
v2.9.3
v2.9.4
v2.9.5
v2.9.6
v2.9.7
v2.9.8
v2.9.9