Skip to content
Threat Feed
high advisory

NATS Server Panic via Malicious Compression on Leafnode Port

A vulnerability exists in NATS servers configured to accept leafnode connections where a malicious remote NATS server can trigger a server panic by exploiting compression negotiation on the leafnode port.

NATS.io is a high-performance open-source pub-sub distributed communication technology. A vulnerability exists when a NATS server is configured to accept leafnode connections, which is not the default setting. In this configuration, a malicious remote NATS server can trigger a server panic by exploiting the compression negotiation process on the leafnode port (default 7422). This vulnerability, identified as CVE-2026-29785, occurs pre-authentication, meaning an attacker does not need valid credentials. The vulnerability affects NATS server versions prior to v2.11.14 and versions between v2.12.0-RC.1 and v2.12.5. Defenders should disable compression on the leafnode port to mitigate this risk.

Attack Chain

  1. The attacker identifies a NATS server with leafnode configuration enabled and compression active on port 7422.
  2. The attacker establishes a connection to the leafnode port (7422) of the target NATS server.
  3. The attacker initiates a compression negotiation handshake with the target server.
  4. The attacker sends a crafted message during the compression negotiation, designed to exploit a vulnerability in the NATS server's compression handling logic.
  5. The NATS server attempts to process the malicious compression data.
  6. Due to the crafted nature of the data, the NATS server's compression library triggers a panic.
  7. The NATS server process terminates abruptly due to the panic.
  8. The NATS server becomes unavailable, disrupting NATS-based communication.

Impact

Successful exploitation of this vulnerability results in a denial-of-service (DoS) condition. Any NATS server configured to accept leafnode connections is vulnerable. This could impact cloud, on-premise, IoT, and edge computing environments using NATS for inter-service communication. The exact number of affected systems is unknown, but the impact is significant as it can disrupt critical communication pathways.

Recommendation

  • Disable compression on the leafnode port by setting compression: off in the NATS server configuration file as described in the advisory to remediate CVE-2026-29785.
  • Monitor network connections to port 7422, the default leafnode port, for unexpected connection attempts from untrusted sources (refer to the IOC table).
  • Deploy the Sigma rule to detect connections to the leafnode port with unexpected client IP addresses.

Detection coverage 2

Detect Connections to NATS Leafnode Port

info

Detects connections to the default NATS leafnode port (7422). Modify the DestinationPort value if a custom port is configured.

sigma tactics: initial_access sources: network_connection, windows

Detect Connections to NATS Leafnode Port - Linux

info

Detects connections to the default NATS leafnode port (7422) on Linux systems. Modify the DestinationPort value if a custom port is configured.

sigma tactics: initial_access sources: network_connection, linux

Detection queries are available on the platform. Get full rules →

Indicators of compromise

1

port

TypeValue
port7422