Home

Description

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.1 and 2.12.9, an MQTT client could include protocol control characters in subscription filters that were later forwarded as NATS protocol data to route or leafnode connections, corrupting the forwarded protocol stream and allowing injection of unintended NATS protocol operations. This issue is fixed in versions 2.14.1 and 2.12.9.

PUBLISHED Reserved 2026-06-29 | Published 2026-07-08 | Updated 2026-07-09 | Assigner GitHub_M




HIGH: 7.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Problem types

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Product status

< 2.12.9
affected

>= 2.14.0-RC.1, < 2.14.1
affected

References

github.com/...server/security/advisories/GHSA-qrcv-3558-gj4f

github.com/nats-io/nats-server/pull/8163

github.com/nats-io/nats-server/pull/8164

github.com/...ommit/366837cfc65ab9ccb4f98193c65e8daf238582d8

github.com/...ommit/64ebae40051ee497c481e10f316238faf0de1736

github.com/...ommit/f14856b9e57a36818f43851cb69b6e33670885c9

github.com/nats-io/nats-server/releases/tag/v2.12.9

github.com/nats-io/nats-server/releases/tag/v2.14.1

cve.org (CVE-2026-58213)

nvd.nist.gov (CVE-2026-58213)

Download JSON