github nats-io/nats-server v2.11.14
Release v2.11.14
on GitHub

latest release: v2.12.5
7 hours ago

Changelog

Refer to the 2.11 Upgrade Guide for backwards compatibility notes with 2.10.x.

Go Version

  • 1.25.8

Dependencies

  • golang.org/x/crypto v0.48.0 (#7874)
  • golang.org/x/sys v0.42.0 (#7923)
  • golang.org/x/time v0.15.0 (#7923)

CVEs

  • Fixes CVE-2026-29785 (affects systems with leafnode compression enabled)
  • Fixes CVE-2026-27889 (affects systems with WebSockets enabled)

Fixed

Leafnodes

  • Receiving a leafnode subscription before negotiating compression should no longer result in a server panic

WebSockets

  • Fix invalid parsing of 64-bit payload lengths, which could lead to a server panic
  • Correctly reject compressed frames when compression was not negotiated as a part of the handshake
  • The Origin header validation now validates the protocol scheme as well as host and port
  • Gracefully handle failed connection upgrades
  • The CLOSE frame lengths and status codes are now validated correctly
  • The compressor state is correctly reset when a max payload error occurs
  • Empty compressed buffers should no longer result in a server panic

Complete Changes

v2.11.12...v2.11.14

Check out latest releases or
releases around nats-io/nats-server v2.11.14

Don't miss a new nats-server release

NewReleases is sending notifications on new releases.

Get notifications