Skip to content

Update module github.com/nats-io/nats-server/v2 to v2.12.6 [SECURITY]#47

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/go-github.com-nats-io-nats-server-v2-vulnerability
Open

Update module github.com/nats-io/nats-server/v2 to v2.12.6 [SECURITY]#47
renovate[bot] wants to merge 1 commit intomainfrom
renovate/go-github.com-nats-io-nats-server-v2-vulnerability

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate Bot commented Mar 24, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/nats-io/nats-server/v2 v2.12.4v2.12.6 age confidence

NATS: Message tracing can be redirected to arbitrary subject

CVE-2026-33249 / GHSA-8m2x-3m6q-6w8j

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server supports telemetry on messages, using the per-message NATS headers.

Problem Description

A valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission.

The payload is a valid trace message and not chosen by the attacker.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

Severity

  • CVSS Score: 4.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS credentials are exposed in monitoring port via command-line argv

CVE-2026-33247 / GHSA-x6g4-f6q3-fqvv

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server provides an optional monitoring port, which provides access to sensitive data. The nats-server can take certain configuration options on the command-line instead of requiring a configuration file.

Problem Description

If a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled.

The /debug/vars end-point contains an unredacted copy of argv.

Patches

Fixed in nats-server 2.12.6 & 2.11.15

Workarounds

The NATS Maintainers are bemused at the concept of someone deploying a real configuration using --pass to avoid a config file, but also enabling monitoring.

Configure credentials inside a configuration file instead of via argv.

Do not enable the monitoring port if using secrets in argv.

Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources.

Severity

  • CVSS Score: 7.4 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS Server panic via malicious compression on leafnode port

CVE-2026-29785 / GHSA-52jh-2xxh-pwh6

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

When configured to accept leafnode connections (for a hub/spoke topology of multiple nats-servers), then the default configuration allows for negotiating compression; a malicious remote NATS server can trigger a server panic via that compression.

Problem Description

If the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used).

Context: a NATS server can form various clustering topologies, including local clusters, and superclusters of clusters, but leafnodes allow for separate administrative domains to link together with limited data communication; eg, a server in a moving vehicle might use a local leafnode for agents to connect to, and sync up to a central service as and when available. The leafnode configuration here is where the central server allows other NATS servers to connect into it, almost like regular NATS clients. Documentation examples typically use port 7422 for leafnode communications.

Affected Versions

Version 2, prior to v2.11.14 or v2.12.5

Workarounds

Disable compression on the leafnode port:

leafnodes {
  port: 7422
  compression: off
}

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS is vulnerable to MQTT hijacking via Client ID

CVE-2026-33215 / GHSA-fcjp-h8cc-6879

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server provides an MQTT client interface.

Problem Description

Sessions and Messages can by hijacked via MQTT Client ID malfeasance.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

Resources

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS has MQTT plaintext password disclosure

CVE-2026-33216 / GHSA-v722-jcv5-w7mc

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server provides an MQTT client interface.

Problem Description

For MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

Ensure monitoring end-points are adequately secured.

Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.

Severity

  • CVSS Score: 8.6 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS allows MQTT clients to bypass ACL checks

CVE-2026-33217 / GHSA-jxxm-27vp-c3m5

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server provides an MQTT client interface.

Problem Description

When using ACLs on message subjects, these ACLs were not applied in the $MQTT.> namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

Severity

  • CVSS Score: 7.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS has pre-auth server panic via leafnode handling

CVE-2026-33218 / GHSA-vprv-35vv-q339

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers.

Problem Description

A client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds
  1. Disable leafnode support if not needed.
  2. Restrict network connections to your leafnode port, if plausible without compromising the service offered.
References

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS is vulnerable to pre-auth DoS through WebSockets client service

CVE-2026-33219 / GHSA-8r68-gvr4-jh7j

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server offers a WebSockets client service, used in deployments where browsers are the NATS clients.

Problem Description

A malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data.

This is a milder variant of NATS-advisory-ID 2026-02 (aka CVE-2026-27571; GHSA-qrvq-68c2-7grw).
That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

Disable websockets if not required for project deployment.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS JetStream has an authorization bypass through its Management API

CVE-2026-33222 / GHSA-9983-vrx2-fg9c

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The persistent storage feature, JetStream, has a management API which has many features, amongst which are backup and restore.

Problem Description

Users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

If developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.

Severity

  • CVSS Score: 4.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing

CVE-2026-33223 / GHSA-pwx7-fx9r-hr4h

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server offers a Nats-Request-Info: message header, providing information about a request.

Problem Description

The NATS message header Nats-Request-Info: is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective.

An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

Severity

  • CVSS Score: 6.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers

CVE-2026-33246 / GHSA-55h8-8g96-x4hj

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers. NATS messages can have headers.

Problem Description

The nats-server offers a Nats-Request-Info: message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NATS clients could make their own decisions on how to trust a message, provided that they trust the nats-server as a broker.

A leafnode connecting to a nats-server is not fully trusted unless the system account is bridged too. Thus identity claims should not have propagated unchecked.

Thus NATS clients relying upon the Nats-Request-Info: header could be spoofed.

Does not directly affect the nats-server itself, but the CVSS Confidentiality and Integrity scores are based upon what a hypothetical client might choose to do with this NATS header.

Affected Versions

Any version before v2.12.6 or v2.11.15

Workarounds

None.

Severity

  • CVSS Score: 6.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching

CVE-2026-33248 / GHSA-3f24-pcvm-5jqc

More information

Details

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

One authentication model supported is mTLS, deriving the NATS client identity from properties of the TLS Client Certificate.

Problem Description

When using mTLS for client identity, with verify_and_map to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass.

This does require a valid certificate from a CA already trusted for client certificates, and DN naming patterns which the NATS maintainers consider highly unlikely.

So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their DN construction patterns might conceivably be impacted.

Affected Versions

Fixed in nats-server 2.12.6 & 2.11.15

Workarounds

Developers should review their CA issuing practices.

Severity

  • CVSS Score: 4.2 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

nats-io/nats-server (github.com/nats-io/nats-server/v2)

v2.12.6

Compare Source

Changelog

Refer to the 2.12 Upgrade Guide for backwards compatibility notes with 2.11.x.

Go Version
  • 1.25.8
Dependencies
CVEs
Improved

General

  • Non-WebSocket leafnode connections can now be proxied using HTTP CONNECT (#​7781)
  • The $SYS.REQ.USER.INFO response now includes the friendly nametag of the account and/or user if known (#​7973)

JetStream

  • The stream peer-remove command now accepts a peer ID as well as a server name (#​7952)

MQTT

  • Protocol compliance has been improved, including more error handling on invalid or malformed MQTT packets (#​7933)
Fixed

General

  • Client connections are no longer registered after an auth callout timeout (#​7932)
  • Improved handling of duplicate headers
  • A correctness bug when validating relative distinguished names has been fixed
  • Secrets are now redacted correctly in trace logging (#​7942)
  • The expvar endpoint on the monitoring port now correctly redacts secrets from the command line arguments
  • Trace headers are no longer incorrectly parsed when hitting max payload (#​7954)
  • When running as a Windows service, switching to lame duck mode should now correctly exit the process (#​7958)
  • The configuration digest no longer removes from the used variable tracking, which could cause configuration fields to disappear from the returned config (#​7959)
  • A bug which could result in the service import cycle detection failing to detect a genuine cycle has been fixed (#​7961)
  • The PROXY protocol v1 header parser no longer incorrectly discards some early protocol bytes from the client (#​7962)
  • The Nats-Trace-Dest message header for message tracing now requires that the client have publish permissions to the specified subject, an error is returned otherwise
  • The route pool is now correctly populated if receiving a pong before handling the new route setup (#​7971)

Leafnodes

  • A panic when receiving a loop detection error before a connect message has been fixed
  • Messages from leafnodes to non-shared service imports now correctly rebuild the request info header
  • Leafnodes will now back off on receiving a minimum version required error, no longer requiring blocking the readloop (#​7970)

JetStream

  • Stream updates on clustered setups with async snapshots enabled should no longer result in the loss of consumer assignments, fixing the regression introduced in 2.12.5 (#​7939)
  • Fixed idempotent stream create with sources (#​7928)
  • Fixed a bug where mirror goroutines could get stuck stalling the mirror indefinitely (#​7929)
  • A panic that could occur when attempting to scale down a stream with an in-flight stream create and consumer create has been fixed (#​7940)
  • A panic when paginating on various JetStream API endpoints has been fixed
  • An interior path traversal bug that could occur when purging JetStream accounts has been fixed
  • Meta snapshot apply errors are now surfaced correctly so that the cluster monitor does not advance the applied index (#​7944)
  • Fixed an issue where extremely large JetStream reservations could overflow and violate tier limits
  • Stream restores now ensure that the stream name in the restore subject matches that of the restored snapshot archive
  • Stream ingest now correctly strips a NATS status header if present, avoiding incorrect classification of sourced or mirrored messages as control traffic
  • The Raft layer now resets the vote correctly when switching to candidate state (#​7956)
  • The orphan consumer check no longer unexpectedly deletes direct consumers, which could affect sourcing and mirroring (#​7957)
  • The Raft layer no longer commits entries from previous terms by only allowing entries from our current term up to the commit (#​7955)
  • Stream restores are now processed directly from the wire without intermediate staging on the filesystem, improving the enforcement of limits and reservations on disk
  • Stream sourcing now works correctly when sourcing into a stream with the Discard New Per Subject discard policy (#​7896)

MQTT

  • A panic that could occur when processing invalid fixed32 or fixed64 fields has been fixed (#​7941)
  • Persisted MQTT sessions can no longer be restored by a non-matching client ID
  • Restrict the implicit permissions for MQTT clients to $MQTT.sub. and $MQTT.deliver.pubrel. prefixes
  • MQTT password are no longer exposed in the JWT field of monitoring endpoints or advisory messages
  • NATS special characters (., >, *, spaces, tabs) are no longer permitted in MQTT client IDs
  • MQTT session flapping detection now uses monotonic time, fixing cases where it could be sensitive to NTP adjustments or clock drifts

WebSockets

  • WebSocket protocol parsing no longer relies on potentially unbounded in-memory allocations from compressed or uncompressed frames
Complete Changes

v2.12.5

Compare Source

Changelog

Refer to the 2.12 Upgrade Guide for backwards compatibility notes with 2.11.x.

[!WARNING]
A regression has been found in this version where a stream update may result in the loss of consumers in clustered deployments in specific cases. Single-server deployments are not affected. To temporarily mitigate, set meta_compact_sync: true in the jetstream config block and perform a configuration reload. We will soon follow up with a fixed 2.12.6 release.

Go Version
  • 1.25.8
Dependencies
  • github.com/nats-io/nkeys v0.4.15 (#​7797)
  • github.com/klauspost/compress v1.18.4 (#​7812)
  • golang.org/x/sys v0.42.0 (#​7923)
  • github.com/antithesishq/antithesis-sdk-go v0.6.0-default-no-op (#​7835)
  • golang.org/x/crypto v0.48.0 (#​7874)
  • github.com/nats-io/nats.go v1.49.0 (#​7835)
  • golang.org/x/time v0.15.0 (#​7923)
CVEs
Added

JetStream

  • The stream snapshot/backup endpoint now accepts the window_size parameter, to allow improving flow control over slow or unreliable connections (#​7839)
Improved

General

  • max_conns in the server configuration can now be configured to 0 (zero) to reject all incoming client connections (#​7877)

JetStream

  • "Catchup for stream" log lines are now more consistent (#​7784)
  • Raft now only accepts forwarded proposals if caught up as the new leader, limiting potentially unbounded log growth (#​7809)
  • Raft now correctly refuses concurrent membership changes if forwarded a peer removal from another node (#​7809)
  • The max_consumers limit of a stream can now be updated after stream creation (#​7724)
  • The pending messages and bytes are now included in consumer unpin responses (#​7815)
  • Stream backups/snapshots are now streamed to clients with improved flow control, which should improve throughput and robustness, particularly over unreliable links, reducing the chance of backups failing due to flow control errors (#​7828)
  • Orphaned stream and consumer checks are now aligned with the metalayer snapshot logic (#​7826)
  • Wildcard filtering when loading messages is now considerably faster in the memory store (#​7840, #​7855)
  • Metalayer snapshots now take place asynchronously when possible, such that JS API operations are not blocked while the snapshot is taking place (#​7827, #​7846)
    • This behaviour can be disabled by setting meta_compact_sync: true in the jetstream configuration block
  • Consumers with a single subject filter no longer incorrectly use the multi-filter message lookups (#​7856)
  • The check for colliding stream subjects is now faster (#​7870)
  • Raft replica lag and current values in stream info, consumer info and /jsz are now more consistent, no longer reporting incorrect values on follower nodes (#​7885)
  • Num pending calculations for R1 consumers now happen asynchronously and should no longer block the metalayer (#​7889)
Fixed

General

  • Routed message arguments no longer escape to the heap, improving performance (#​7867)
  • Malformed functions or operations in user permissions templates or on invalid template expansion during auth should no longer result in a server panic

Leafnodes

  • A crash when leafnodes with bad credentials performs an auth callout has been fixed (#​7844)
  • Receiving a leafnode subscription before negotiating compression should no longer result in a server panic

JetStream

  • A filestore bug which could hold onto a lock when exiting after an error has been fixed (#​7780)
  • The filestore now always uses tombstones for recovering trailing deletes (#​7782)
  • Fixed a race condition when rebuilding block state during recovery (#​7783)
  • The filestore binary search for a message block now correctly sorts blocks that contain only tombstones (#​7787)
  • Fixed a data race for streams when acquiring the deduplication sequence (#​7789)
  • Raft now correctly checks the closed state when reporting if the node is current (#​7793)
  • Raft now sets the election timeout instead of the campaign timeout when leaving observer mode (#​7793)
  • The metalayer now tracks in-flight meta changes for invalid stream or consumer updates (#​7798)
  • The metalayer no longer incorrectly overwrites local consumer assignments before they are applied, which would result in them being omitted from the meta snapshot (#​7798)
  • The inactive threshold clean-up no longer leave lingering goroutines (#​7799)
  • Pooled publish message underlying buffer capacity is now reused correctly (#​7790)
  • Consumers with overlapping filter subjects where one is not a subset of the other are now allowed (#​7810)
  • The filestore now checksums after truncation on compressed or encrypted stores (#​7816)
  • The filestore no longer leaks locks in various error states (#​7816)
  • The filestore now correctly holds the lock during snapshotting on encrypted stores (#​7816)
  • The filestore now ensures that num pending calculations cannot overflow (#​7816)
  • The filestore now correctly recalculates the subject state as needed when finding last sequences (#​7816)
  • The filestore now sorts configured subjects when checking whether filters represent all of the configured filters (#​7816)
  • The filestore now avoids subject and header corruption in more cases (#​7816)
  • Consumer unpinning is now handled correctly when stepping down (#​7819)
  • Consumer unpinning now allows the next client to pick up the next pin without waiting for new messages (#​7819)
  • Fixed a race condition when remapping the underlying group of a replicated asset (#​7820, #​7883)
  • An overflowed pull request when min pending or min ack pending is above the threshold is now handled correctly (#​7795)
  • Timers are no longer leaked when failing to set up mirrors, which resulted in high CPU usage (#​7825)
  • Monitor quit channels are created on demand, fixing cases where an asset restarts with a different underlying Raft group (#​7837)
  • Recovered streams and consumers are now correctly handled when not present in a metalayer catchup snapshot (#​7824)
  • Ensure that messages that have reached the max deliver state are preserved with the WorkQueue retention policy (#​7845)
  • An inconsistency with consumer naming between the current and legacy consumer create endpoints has been fixed (#​7848)
  • The Raft layer no longer incorrectly reverts the last snapshot applied sequence when truncating uncommitted entries after a catchup snapshot (#​7849)
  • The Raft layer no longer incorrectly restores the cluster size to 1 at startup, which could result in an isolated node incorrectly winning a single-node election (#​7850)
  • The memory store correctly refreshes the last sequence of a subject in the subject state tracking (#​7865)
  • Tiered reservations are now handled more consistently, fixing issues where replicated assets could be over-counted and where reservations were incorrectly applied on recovery (#​7880)
  • When scaling down a replicated consumer to R1, the correct consumer name is now used in the request where no durable name is set (#​7891)
  • Consumer deletion will now retry correctly when erroring with a directory not empty error (#​7886)
  • The store_max_stream_bytes and memory_max_stream_bytes are no longer incorrectly applied when determining whether account resource limits have been exceeded, fixing a long-standing bug where it would incorrectly limit total reservations (#​7895)
  • A race condition in the memory store when updating the delete map has been fixed (#​7897)
  • Stream source checks are now enforced correctly when from a different account or domain (#​7903)
  • Consumer assignments no longer incorrectly handle or store transition state which could lead to issues on recovery or cause consumer state to be lost (#​7905, #​7908)

MQTT

  • SUB and UNSUB packets now correctly detect and reject the Packet Identifier being set to 0 (#​7805)

WebSockets

  • Fix invalid parsing of 64-bit payload lengths, which could lead to a server panic
  • Correctly reject compressed frames when compression was not negotiated as a part of the handshake
  • The Origin header validation now validates the protocol scheme as well as host and port
  • Gracefully handle failed connection upgrades
  • The CLOSE frame lengths and status codes are now validated correctly
  • The compressor state is correctly reset when a max payload error occurs
  • Buffers are now correctly reused, reducing memory pressure (#​7901)
  • Empty compressed buffers should no longer result in a server panic
Complete Changes

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team as a code owner March 24, 2026 22:36
@renovate
Copy link
Copy Markdown
Author

renovate Bot commented Mar 24, 2026

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 6 additional dependencies were updated

Details:

Package Change
github.com/nats-io/nats.go v1.48.0 -> v1.49.0
github.com/antithesishq/antithesis-sdk-go v0.5.0 -> v0.6.0-default-no-op
github.com/nats-io/jwt/v2 v2.8.0 -> v2.8.1
golang.org/x/crypto v0.48.0 -> v0.49.0
golang.org/x/sys v0.41.0 -> v0.42.0
golang.org/x/time v0.14.0 -> v0.15.0

@renovate renovate Bot changed the title fix(deps): update module github.com/nats-io/nats-server/v2 to v2.12.6 [security] fix(deps): update module github.com/nats-io/nats-server/v2 to v2.12.6 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/go-github.com-nats-io-nats-server-v2-vulnerability branch March 27, 2026 02:41
@renovate renovate Bot changed the title fix(deps): update module github.com/nats-io/nats-server/v2 to v2.12.6 [security] - autoclosed fix(deps): update module github.com/nats-io/nats-server/v2 to v2.12.6 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/go-github.com-nats-io-nats-server-v2-vulnerability branch 2 times, most recently from d726077 to 529f763 Compare March 30, 2026 18:53
@renovate renovate Bot changed the title fix(deps): update module github.com/nats-io/nats-server/v2 to v2.12.6 [security] Update module github.com/nats-io/nats-server/v2 to v2.12.6 [SECURITY] Apr 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants