RATATOSKRATATOSK
Sign in

NATS

v2.12.5Networking & Messaging
Mar 10, 2026

NATS v2.12.5 delivers critical security fixes for leafnode compression and WebSocket vulnerabilities, while significantly improving JetStream backup performance and fixing numerous stability issues in filestore operations.

  • securityUpdate immediately for critical CVE fixes

    Two CVEs affect production systems: CVE-2026-29785 impacts leafnode compression and CVE-2026-27889 affects WebSocket connections. Both can cause server panics or security issues. Schedule maintenance window to update all NATS servers running v2.12.4 or earlier.

  • enhancementOptimize JetStream backups for unreliable networks

    Stream backups now support window_size parameter for better flow control. If you run backups over slow or unreliable connections, configure appropriate window sizes to improve throughput and reduce backup failures. Test with your network conditions to find optimal values.

  • enhancementReview async metalayer snapshot behavior

    Metalayer snapshots now run asynchronously to prevent blocking JS API operations. This improves performance but changes timing behavior. If your applications rely on synchronous snapshot timing, set `meta_compact_sync: true` in jetstream config block to restore previous behavior.

Key changes (5)

  • Critical CVE fixes for leafnode compression (CVE-2026-29785) and WebSocket parsing (CVE-2026-27889)
  • JetStream stream backups now use improved flow control with window_size parameter for better performance over unreliable connections
  • Metalayer snapshots now run asynchronously by default to prevent blocking JS API operations
  • Fixed multiple filestore race conditions and lock leaks that could cause crashes or performance degradation
  • WebSocket handling improvements including proper frame validation and compression state management