nats-io/nats-server v2.11.15

Release v2.11.15

on GitHub

Changelog

Refer to the 2.11 Upgrade Guide for backwards compatibility notes with 2.10.x.

Go Version

• 1.25.8

Dependencies

• golang.org/x/crypto v0.49.0 (#7953)
• github.com/nats-io/jwt/v2 v2.8.1 (#7960)
• github.com/antithesishq/antithesis-sdk-go v0.6.0-default-no-op
• github.com/klauspost/compress v1.18.4
• github.com/nats-io/nats.go v1.49.0
• github.com/nats-io/nkeys v0.4.15

CVEs

• Fixes CVE-2026-33216, CVE-2026-33217, CVE-2026-33215 (affecting systems using MQTT)
• Fixes CVE-2026-33246 (affects systems using leafnodes and service imports)
• Fixes CVE-2026-33218 (affects systems using leafnodes)
• Fixes CVE-2026-33219 (affects systems using WebSockets)
• Fixes CVE-2026-33223, CVE-2026-33222 (affects systems using JetStream)
• Fixes CVE-2026-33248 (affects systems using mutual TLS)
• Fixes CVE-2026-33247 (affects systems providing credentials on the command line)
• Fixes CVE-2026-33249 (affects systems where client publish permissions should be restricted)

Improved

JetStream

• The stream peer-remove command now accepts a peer ID as well as a server name (#7952)

MQTT

• Protocol compliance has been improved, including more error handling on invalid or malformed MQTT packets (#7933)

Fixed

General

• Improved handling of duplicate headers
• A correctness bug when validating relative distinguished names has been fixed
• Secrets are now redacted correctly in trace logging (#7942)
• The expvar endpoint on the monitoring port now correctly redacts secrets from the command line arguments
• Trace headers are no longer incorrectly parsed when hitting max payload (#7954)
• The Nats-Trace-Dest message header for message tracing now requires that the client have publish permissions to the specified subject, an error is returned otherwise

JetStream

• A panic when paginating on various JetStream API endpoints has been fixed
• An interior path traversal bug that could occur when purging JetStream accounts has been fixed
• Meta snapshot apply errors are now surfaced correctly so that the cluster monitor does not advance the applied index (#7944)
• Fixed an issue where extremely large JetStream reservations could overflow and violate tier limits
• Stream restores now ensure that the stream name in the restore subject matches that of the restored snapshot archive
• Stream ingest now correctly strips a NATS status header if present, avoiding incorrect classification of sourced or mirrored messages as control traffic
• Stream sourcing now works correctly when sourcing into a stream with the Discard New Per Subject discard policy (#7896)

Leafnodes

• A panic when receiving a loop detection error before a connect message has been fixed
• Messages from leafnodes to non-shared service imports now correctly rebuild the request info header
• Leafnodes will now back off on receiving a minimum version required error, no longer requiring blocking the readloop (#7970)

MQTT

• SUB and UNSUB packets now correctly detect and reject the Packet Identifier being set to 0 (#7805)
• A panic that could occur when processing invalid fixed32 or fixed64 fields has been fixed (#7941)
• Persisted MQTT sessions can no longer be restored by a non-matching client ID
• Restrict the implicit permissions for MQTT clients to $MQTT.sub. and $MQTT.deliver.pubrel. prefixes
• MQTT password are no longer exposed in the JWT field of monitoring endpoints or advisory messages
• NATS special characters (., >, *, spaces, tabs) are no longer permitted in MQTT client IDs
• MQTT session flapping detection now uses monotonic time, fixing cases where it could be sensitive to NTP adjustments or clock drifts

WebSockets

• WebSocket protocol parsing no longer relies on potentially unbounded in-memory allocations from compressed or uncompressed frames

Complete Changes

v2.11.14...v2.11.15