Announcing a new version of NATS .NET client library covering various fixes and a security update on one dependency for NETStandard targets (#1089) even though the vulnerable API is not used by our library.
Quick summary
Microsoft.Bcl.Memoryvulnerable API is not used by NATS .NETMicrosoft.Bcl.Memoryis only pulled fornetstandard2.0targets- Upgrading
Microsoft.Bcl.Memoryis still recommended for good supply-chain hygiene - You don't have to upgrade NATS .NET if you don't have time, just update your application with
Microsoft.Bcl.Memoryv9.0.14
Microsoft Security Advisory CVE-2026-26127 Update
Microsoft.Bcl.Memory is a transitive dependency for netstandard2.0 targets any app pulling in NATS.Client.Core gets it. Even though this
library doesn't call the vulnerable Base64Url.Decode API, the consuming application (or another dependency in its
graph) might. A CVSSv3 7.5 DoS from a malformed network input is not something you want sitting in your dependency
tree.
If you are not upgrading to this new version of NATS .NET, applications should add an explicit package reference to force the patched version:
<PackageReference Include="Microsoft.Bcl.Memory" Version="9.0.14" />You don't need to upgrade NATS.NET itself to get the fix if you need time. NuGet will happily resolve the newer patch version of Microsoft.Bcl.Memory since it's within the same major.minor range.
Here is a report generated by AI:
NAT .NET library implementation is not affected by the same bug. Different vulnerability, different code.
The CVE is about an out-of-bounds read in System.Buffers.Text.Base64Url's decode path when processing malformed
input — that's a SIMD-optimized native implementation with pointer arithmetic that can overrun its buffer.Your custom Base64UrlEncoder (borrowed from Azure AD IdentityModel):
- Decode path: Converts Base64Url chars back to standard Base64 chars (- → +, _ → /), pads with =, then delegates to
Convert.FromBase64String(). The actual decoding is done by the framework's well-tested Convert.FromBase64String,
which will throw FormatException on malformed input rather than reading out of bounds.- Validates input length: Rejects length % 4 == 1 upfront (line 164), which is always invalid.
- Bounded loops: The unsafe code in UnsafeDecode only iterates up to str.Length and decodedLength (which is at most
str.Length + 3), and the output string is allocated to exactly decodedLength.The implementation is sound. It's not pretty (mutating "immutable" strings via fixed pointers is a hack), but it's
not vulnerable to the same class of bug.
Breaking Changes
Although most of them minor there are a few breaking changes listed here.
- Add validation for unsupported PinnedClient calls by @mtmk in #1063
- Add cancelled token handling for consumers by @mtmk in #1068
- Add TermWithReason support to AckTerminateAsync by @mtmk in #1048
- Rework TermWithReason by @rickdotnet in #1081
- Fix OTel network telemetry tags by @mtmk in #1078
- Bump Microsoft.Bcl.Memory from 9.0.0 to 9.0.14 by @dependabot[bot] in #1089
- Add optional window_size parameter to StreamSnapshotRequest by @darkwatchuk in #1088
What's Changed
- Add more tests for JetStream consumer behavior by @mtmk in #1055
- Fix error logs URI rewritten by OnConnectingAsync by @mtmk in #1067
- Add slow consumer docs by @mtmk in #1073
- Add Synadia.Orbit.Testing.NatsServerProcessManager by @mtmk in #1065
- Add see-also references to Orbit packages by @mtmk in #1077
- Add validation for unsupported PinnedClient calls by @mtmk in #1063
- Add cancelled token handling for consumers by @mtmk in #1068
- Fix code analyzer warning by @mtmk in #1076
- Add TermWithReason support to AckTerminateAsync by @mtmk in #1048
- Add consumer info usage warnings by @mtmk in #1079
- Fix OTel network telemetry tags by @mtmk in #1078
- Rework TermWithReason by @rickdotnet in #1081
- Fix
PingCommandcancellation by @mtmk in #1086 - Bump Microsoft.Bcl.Memory from 9.0.0 to 9.0.14 by @dependabot[bot] in #1089
- Add optional window_size parameter to StreamSnapshotRequest by @darkwatchuk in #1088
- Release 2.7.3 by @mtmk in #1090
Full Changelog: v2.7.2...v2.7.3