EXECUTIVE SUMMARY:
CVE-2026-27889 with a CVSS score of 7.5 is a pre-authentication remote server crash via WebSocket frame length overflow in wsRead, affecting NATS server versions 2.2.0 through 2.11.13 and 2.12.4 prior to 2.11.14 or 2.12.5, which exposes WebSockets to untrusted endpoints. A malicious client can trigger a server crash with crafted frames before authentication by sending a single malicious WebSocket frame, 15 bytes after the HTTP upgrade handshake, that bypasses the RFC 6455 §5.2 requirement, resulting in a uint64 → int conversion producing a negative value that triggers an unrecovered panic in the connection's goroutine, killing the entire server process and disconnecting all clients. This affects all platforms, including 64-bit and 32-bit, and allows an unauthenticated remote attacker to crash the nats-server process, disrupting JetStream in-flight acknowledgments, Raft consensus, and all connected clients, including MQTT-over-WebSocket, NATS, WebSocket, and cluster routes. The attack is repeatable on every server restart and requires only TCP access to the WebSocket port, making it a high-severity vulnerability with a wide attack surface.
RECOMMENDATION:
We recommend you to update NATS server to version 2.11.14 or 2.12.5.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-pq2q-rcw4-3hr6