{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/nats/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["nats","websocket","denial-of-service","CVE-2026-27889","server-crash"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability exists in NATS server versions 2.2.0 through 2.11.13 and 2.12.0 through 2.12.4, enabling unauthenticated remote attackers to trigger a denial-of-service (DoS) condition. The vulnerability stems from a missing sanity check on WebSocket frame lengths, allowing malicious clients to send crafted frames that cause a server panic and crash. This issue impacts deployments that utilize WebSockets and expose the network port to untrusted endpoints. The attack requires no authentication or credentials and can be executed with a single TCP connection sending a malicious WebSocket frame. This vulnerability was reported by GitHub users Mistz1 and jiayuqi7813.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker establishes a TCP connection to the NATS server\u0026rsquo;s WebSocket port.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a WebSocket upgrade request to initiate the WebSocket handshake.\u003c/li\u003e\n\u003cli\u003eThe NATS server completes the WebSocket handshake, establishing a WebSocket connection.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted WebSocket frame with a 64-bit extended payload length field where the most significant bit (MSB) is set (e.g., \u003ccode\u003e0x8000000000000001\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server reads the 8-byte payload length but fails to validate that the MSB is zero, resulting in a negative integer value.\u003c/li\u003e\n\u003cli\u003eThe negative value bypasses the bounds clamp in the \u003ccode\u003ewsRead\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eA slice operation with the negative length triggers a runtime panic due to out-of-bounds access.\u003c/li\u003e\n\u003cli\u003eThe unrecovered panic propagates to the Go runtime, causing the entire NATS server process to terminate, disconnecting all clients.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a complete denial of service, crashing the entire NATS server process. All connected clients, including NATS, WebSocket, MQTT, cluster routes, gateways, and leaf nodes, are immediately disconnected. JetStream in-flight acknowledgments are lost, and Raft consensus is disrupted in clustered deployments. The attack is repeatable on every server restart, causing significant disruption to services relying on the NATS server. Any NATS server deployment with WebSocket listeners enabled is vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the NATS server to version 2.11.14, 2.12.5, or later to patch CVE-2026-27889.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, restrict access to the WebSocket port to trusted endpoints as a defense-in-depth measure, as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect connections with crafted websocket frame to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T12:00:00Z","date_published":"2026-03-26T12:00:00Z","id":"/briefs/2026-03-nats-websocket-dos/","summary":"A vulnerability in NATS server allows a remote, unauthenticated attacker to cause a denial of service by sending a crafted WebSocket frame, leading to a server crash due to missing validation on WebSocket frame length.","title":"NATS Server WebSocket Frame Length Overflow Denial of Service","url":"https://feed.craftedsignal.io/briefs/2026-03-nats-websocket-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Nats","version":"https://jsonfeed.org/version/1.1"}