NATS
v2.12.6Networking & Messagingv2.12.6 is a critical security release fixing 11 CVEs across MQTT, JetStream, WebSockets, leafnodes, and mTLS. Also fixes a JetStream regression from 2.12.5 that could lose consumer assignments.
securityUpgrade immediately — 11 CVEs patched across core subsystems
This release patches CVEs in MQTT (3), JetStream (2), leafnodes (2), WebSockets (1), mutual TLS (1), command-line credentials (1), and publish permissions (1). If you run any of these features in production, there is no safe reason to stay on an older build. Review your deployment against the affected subsystems and prioritize accordingly — MQTT and leafnode users face the highest exposure count.
breaking1MB JWT size limit is now enforced
JWTs larger than 1MB will be rejected. This is unlikely to affect most deployments, but if you use deeply nested or unusually large account/user JWTs (e.g., with large permission sets), validate your JWT sizes before upgrading. Check your operator's JWTs and any dynamically issued credentials.
breakingJetStream consumer assignments could be silently lost on 2.12.5 — fix requires upgrade
A regression in 2.12.5 caused stream updates on clustered JetStream with async snapshots to drop consumer assignments. If you're running 2.12.5 with clustered JetStream, audit your consumer counts before and after upgrading to confirm no silent data loss occurred. This is the most operationally dangerous bug in this release cycle.
主な変更 (5)
- 11 CVEs patched covering MQTT, JetStream, WebSockets, leafnodes, mutual TLS, and credential handling
- JetStream regression fix: clustered setups with async snapshots could lose consumer assignments (introduced in 2.12.5)
- New 1MB size limit on JWTs
- MQTT security hardening: passwords no longer exposed in monitoring, restricted implicit permissions, session restore now validates client ID
- WebSocket parser rewritten to avoid unbounded memory allocations from compressed frames