NATS
v2.11.17Networking & MessagingNATS v2.11.17 is a security and stability patch addressing JWT bearer token exposure in monitoring endpoints, credential redaction gaps, and several crash/correctness bugs.
securityPatch immediately: /connz was leaking bearer JWTs
Any operator exposing the NATS monitoring port (default 8222) to internal or external networks should treat this as urgent. Bearer tokens visible in /connz could be harvested and replayed. Rotate any JWTs that may have been exposed, audit who had access to your monitoring endpoints, and upgrade to 2.11.17 now. If you cannot upgrade immediately, firewall the monitoring port.
securityCLI-embedded secrets were visible in monitoring output
If your NATS deployment passes route or cluster URLs with embedded credentials as command-line arguments, those secrets were previously visible in monitoring output. Audit your monitoring data for any historical exposure, rotate affected credentials, and upgrade. Long-term, prefer config files or environment-based secret injection over CLI arguments.
breakingRepeated CONNECT behavior change may affect edge-case clients
The fix for repeated CONNECT messages clearing subscriptions changes previously tolerated (but incorrect) behavior. Custom clients or unusual connection patterns that send multiple CONNECT messages on the same connection could see subscriptions unexpectedly dropped. Audit any non-standard client code before upgrading in production.
主な変更 (5)
- Bearer JWTs no longer exposed via the /connz monitoring endpoint — this was a credential leak
- Route and cluster URL secrets passed as CLI args are now redacted in monitoring output
- Repeated CONNECT messages on a connection now correctly clear subscriptions, preventing stale state
- JWT claims spanning midnight now validate correctly — edge case that could silently break auth
- Fixed a panic during leafnode compression negotiation and a header mutation bug affecting message buffers