RATATOSKRATATOSK
ログイン

NATS

v2.14.3Networking & Messaging
2026年6月30日

NATS server v2.14.3 is a maintenance release dominated by JetStream, MQTT and clustering bug fixes, with two MQTT fixes closing pre-auth memory exhaustion and panic conditions and one breaking change: JSONP monitoring support has been removed.

  • breakingJSONP monitoring support removed

    Applies to deployments relying on JSONP callbacks against monitoring endpoints (e.g. /varz, /connz via callback= param). This is removed in v2.14.3; switch dashboards or scripts to plain JSON polling before upgrading.

  • securityMQTT memory exhaustion and panic fixes

    Applies to servers exposing MQTT. Fixed in v2.14.3: malformed partial CONNECT packets could exhaust pre-auth memory, and a PUBLISH remaining-length underflow could panic the server. Upgrade if you run MQTT, especially with untrusted or public clients.

  • breakingPermission checks tightened for leaf trace destination and NoAuthUser

    Applies to leaf node setups using Nats-Trace-Dest, and to accounts using NoAuthUser. Fixed in v2.14.3: leaf connections could bypass Nats-Trace-Dest publish permission checks, and NoAuthUser did not enforce connection restrictions. Review permission and NoAuthUser configs after upgrading, since previously permitted traffic may now be denied as intended.

主な変更 (7)

  • MQTT fixes for partial CONNECT pre-auth memory exhaustion and a PUBLISH remaining-length underflow panic, both fixed in v2.14.3
  • Permission enforcement tightened: leaf connections no longer bypass Nats-Trace-Dest checks, and NoAuthUser now honors connection restrictions
  • JSONP callback support removed from monitoring endpoints (breaking for any tooling still using it)
  • Large JetStream clustering/Raft reliability batch: meta node data race on shutdown, stream catchup no longer skipped past limits, phantom streams/consumers after meta recovery, Raft membership revert on truncate/snapshot, and related consistency fixes
  • MQTT hardening: rejects subscriptions to internal $MQTT.deliver.pubrel, enforces subscribe deny rules on retained/QoS replay paths, and fixes a WebSocket /mqtt upgrade panic when MQTT is disabled
  • Filestore and memory store corrections: compaction no longer corrupts compressed/encrypted blocks, NumPending overcount fixed for DeliverLastPerSubject, counter stream staging total no longer corrupts
  • Plus roughly two dozen smaller fixes: PROXY/TLS sniffing, gateway CONNECT race, service import tracing across routes, CONNZ/SUBSZ overflow guards, JWT/account claims refresh, and Go updated to 1.26.4