CVE-2026-58250
HIGHNATS Server: Pre-auth server crash via double INFO in leafnode handshake
Title source: cnaDescription
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.12.8 and 2.11.17, an unauthenticated peer with network access to a leafnode listener with compression enabled could crash the server during the pre-authentication leafnode handshake by sending repeated leafnode INFO protocol messages before authentication and account setup completed. This issue is fixed in versions 2.12.8 and 2.11.17.
References (5)
Core 5
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/nats-io/nats-server/security/advisories/GHSA-3g5q-cfh2-cq67
X_Refsource_Misc x_refsource_misc
https://github.com/nats-io/nats-server/commit/8dcb26eaea78fdcbe96dbee5986d6019fd5cb94a
X_Refsource_Misc x_refsource_misc
https://github.com/nats-io/nats-server/commit/fc5fe39177533e9dbdd651d2458285bfae1dde27
X_Refsource_Misc x_refsource_misc
https://github.com/nats-io/nats-server/releases/tag/v2.11.17
X_Refsource_Misc x_refsource_misc
https://github.com/nats-io/nats-server/releases/tag/v2.12.8
Scores
CVSS v3
7.5
EPSS
0.0073
EPSS Percentile
50.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-476
Status
published
Products (3)
linuxfoundation/nats-server
< 2.11.17
nats-io/nats-server
< 2.11.17
nats-io/nats-server
>= 2.12.0-preview.1, < 2.12.8
Published
Jul 08, 2026
Tracked Since
Jul 09, 2026