GHSA-qrvq-68c2-7grw
MEDIUMnats-server websockets are vulnerable to pre-auth memory DoS
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
github.com/nats-io/nats-server/v2🐹github.com/nats-io/nats-server/v2🐹github.com/nats-io/nats-serverReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Impact
The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. The implementation bound the memory size of a NATS message but did not independently bound the memory consumption of the memory stream when constructing a NATS message which might then fail validation for size reasons.
An attacker can use a compression bomb to cause excessive memory consumption, often resulting in the operating system terminating the server process.
The use of compression is negotiated before authentication, so this does not require valid NATS credentials to exploit.
The fix was to bounds the decompression to fail once the message was too large, instead of continuing on.
Patches
This was released in nats-server without being highlighted as a security issue. It should have been, this was an oversight. Per the NATS security policy, because this does not require a valid user, it is CVE-worthy.
This was fixed in the v2.11 series with v2.11.12 and in the v2.12 series with v2.12.3.
Workarounds
This only affects deployments which use WebSockets and which expose the network port to untrusted end-points.
References
This was reported to the NATS maintainers by Pavel Kohout of Aisle Research (www.aisle.com).
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/nats-io/nats-server/v2 | all versions | 2.11.12 |
| 🐹Go | github.com/nats-io/nats-server/v2 | ≥ 2.12.0-RC.1&&< 2.12.3 | 2.12.3 |
| 🐹Go | github.com/nats-io/nats-server | all versions | No fix |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/nats-io/nats-server/v2. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/nats-io/nats-server/v2 to 2.11.12 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-qrvq-68c2-7grw is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-qrvq-68c2-7grw is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-qrvq-68c2-7grw. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-qrvq-68c2-7grw in your dependencies?
O3 detects GHSA-qrvq-68c2-7grw across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.