GHSA-vprv-35vv-q339

Source

https://github.com/advisories/GHSA-vprv-35vv-q339

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vprv-35vv-q339/GHSA-vprv-35vv-q339.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vprv-35vv-q339

Aliases

Downstream

MINI-726c-j879-4jgg

Related

CGA-32mq-856x-9662

Published

2026-03-24T21:45:29Z

Modified

2026-03-27T22:18:40.857350Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

NATS has pre-auth server panic via leafnode handling

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers.

Problem Description

A client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

Disable leafnode support if not needed.
Restrict network connections to your leafnode port, if plausible without compromising the service offered.

References

This document is canonically: https://advisories.nats.io/CVE/secnote-2026-10.txt
GHSA advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339
MITRE CVE entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33218

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-20"
    ],
    "nvd_published_at": "2026-03-25T20:16:32Z",
    "github_reviewed_at": "2026-03-24T21:45:29Z",
    "severity": "HIGH"
}

References

Affected packages

Go / github.com/nats-io/nats-server/v2

Package

Name: github.com/nats-io/nats-server/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/nats-io/nats-server/v2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.15

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vprv-35vv-q339/GHSA-vprv-35vv-q339.json"

Go / github.com/nats-io/nats-server/v2

Package

Name: github.com/nats-io/nats-server/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/nats-io/nats-server/v2

Affected ranges

Type: SEMVER
Events: Introduced

2.12.0-RC.1

Fixed

2.12.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vprv-35vv-q339/GHSA-vprv-35vv-q339.json"

Go / github.com/nats-io/nats-server

Package

Name: github.com/nats-io/nats-server; View open source insights on deps.dev
Purl: pkg:golang/github.com/nats-io/nats-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vprv-35vv-q339/GHSA-vprv-35vv-q339.json"