RATATOSKRATATOSK
ログイン

NATS

v2.11.15Networking & Messaging
2026年3月25日

v2.11.15 is a critical security release patching 11 CVEs across MQTT, leafnodes, WebSockets, JetStream, and mTLS. Upgrade immediately if you run any of these features.

  • securityUpgrade now — 11 CVEs, multiple remote attack surfaces

    This release patches CVEs across nearly every major NATS feature area. MQTT users face the most exposure: password leakage in monitoring endpoints, session hijacking via mismatched client IDs, and malformed packet panics. WebSocket deployments had an unbounded memory allocation path exploitable for DoS. Leafnode and mTLS users also have targeted fixes. There is no safe reason to delay this upgrade. Pin your deployments to v2.11.15 and roll it out across all clusters — dev, staging, and production.

  • breakingMQTT client ID restrictions may break existing clients

    NATS special characters (`.`, `>`, `*`, spaces, tabs) are now rejected in MQTT client IDs. If any of your MQTT clients use these characters — common in some IoT device naming schemes — they will fail to connect after upgrade. Audit your MQTT client ID naming conventions before rolling out this version in production. Also verify that your MQTT clients do not rely on the previously broader implicit permission scope, which is now restricted to `$MQTT.sub.*` and `$MQTT.deliver.pubrel.*` prefixes.

  • enhancementTrace logging and monitoring endpoints now redact secrets

    Command-line secrets were previously visible in expvar monitoring output and trace logs. This is fixed. If you've been scraping the monitoring port or collecting trace logs and routing them to external systems (log aggregators, SIEM, etc.), check whether any historical data needs to be rotated or scrubbed. Going forward, no additional config is needed — redaction is automatic.

主な変更 (5)

  • 11 CVEs fixed spanning MQTT (3), leafnodes (2), JetStream (2), WebSockets (1), mTLS (1), credential handling (1), and publish permissions (1)
  • MQTT hardened: passwords no longer leak in monitoring/advisory endpoints, sessions can't be hijacked by mismatched client IDs, implicit permissions now restricted to $MQTT prefixes only
  • WebSocket parser rewritten to avoid unbounded memory allocations from compressed/uncompressed frames — direct DoS vector closed
  • Publish permission enforcement added to Nats-Trace-Dest header — clients without publish rights to the trace subject now get an error instead of silent bypass
  • JetStream path traversal bug fixed during account purge; large reservation overflow bug fixed to prevent tier limit violations