CVE-2026-58250 in nats-serverinfo

Summary

by MITRE • 07/08/2026

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.12.8 and 2.11.17, an unauthenticated peer with network access to a leafnode listener with compression enabled could crash the server during the pre-authentication leafnode handshake by sending repeated leafnode INFO protocol messages before authentication and account setup completed. This issue is fixed in versions 2.12.8 and 2.11.17.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/08/2026

The NATS Server represents a critical messaging infrastructure component within cloud and edge native environments, serving as the backbone for distributed communication patterns that power modern microservices architectures. This high-performance server implementation has been widely adopted across enterprise and cloud-native deployments due to its low latency and scalable design characteristics. The vulnerability under examination affects the server's handling of leafnode connections, which serve as a fundamental mechanism for connecting remote NATS servers in federated messaging topologies. Leafnodes enable organizations to extend their messaging infrastructure across multiple networks while maintaining consistent communication patterns and security boundaries. The specific flaw manifests during the pre-authentication handshake phase when the server processes incoming connection requests from unauthenticated peers attempting to establish leafnode connections.

The technical vulnerability stems from inadequate input validation and resource management within the server's protocol handling logic during the initial connection negotiation process. When compression is enabled on the leafnode listener, an attacker can exploit a race condition by repeatedly sending INFO protocol messages before the authentication and account setup procedures complete. This malicious behavior causes the server to consume excessive memory resources and processing cycles as it attempts to handle malformed or repeated handshake sequences. The flaw represents a classic denial-of-service vulnerability that leverages the server's legitimate protocol handling mechanisms to create resource exhaustion conditions. From a cybersecurity perspective, this issue aligns with CWE-400, which categorizes unchecked resource consumption as a fundamental weakness in software design and implementation practices.

The operational impact of this vulnerability extends beyond simple service disruption, potentially affecting mission-critical messaging infrastructures that rely on NATS Server for real-time data processing and event-driven architectures. Organizations deploying NATS Server in production environments could experience complete service outages when malicious actors exploit this flaw, particularly in scenarios where leafnode connections are enabled for external access. The vulnerability's exploitation requires only network access to the affected server's leafnode listener port, making it relatively easy to target without requiring authentication credentials or deep system knowledge. This accessibility factor significantly increases the attack surface and potential impact across various deployment scenarios including containerized environments, cloud platforms, and hybrid infrastructure configurations. The issue particularly affects organizations that enable compression features on their leafnode listeners as part of performance optimization strategies.

Security practitioners should prioritize immediate remediation efforts by upgrading to NATS Server versions 2.12.8 or 2.11.17, which implement proper input validation and resource management controls to prevent the exploitation of this vulnerability. Organizations lacking immediate upgrade capabilities should consider implementing network-level restrictions that limit access to leafnode listener ports, particularly from untrusted networks or external sources. The mitigation strategy should also include monitoring for unusual patterns in INFO protocol message sequences and implementing connection rate limiting measures to prevent abuse of the authentication handshake process. From an ATT&CK framework perspective, this vulnerability maps to techniques involving resource exhaustion and service disruption, specifically targeting the server availability aspect of the security triad. Network segmentation and firewall rules that restrict leafnode listener access should be implemented as part of defense-in-depth strategies to minimize exposure while maintaining legitimate operational functionality.

Responsible

GitHub M

Reservation

06/29/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!