It turns out you don't need a complex exploit chain when you can just ask the server to eat a gigabyte of RAM or panic on the first packet.
๐ฅ 39 Bytes to OOM
If your .NET cloud workloads or PaaS deployments render untrusted Scriban templates, you are one tiny payload away from a dead host. The built-in `string.pad_left` and `pad_right` functions don't enforce any width limits before allocating memory. An attacker just drops a 39-byte payload asking for a 500-million character string, and the runtime obediently attempts a 1GB allocation. Built-in safety timeouts don't catch it, resulting in an instant `OutOfMemoryException` crash. Patch your Scriban dependencies immediately, or tightly clamp your container memory limits so the blast radius doesn't take down the whole node.
๐งจ Pre-Auth Panics in NATS
Running exposed leafnode listeners on your NATS brokers? A newly discovered pre-auth DoS vulnerability lets a single malformed packet trigger a fatal server panic. The crash happens before authentication is even evaluated, meaning anyone who can reach the port can take your entire core message bus offline. Upgrade to version 2.12.6 or 2.11.15 right now. If you can't patch today, heavily restrict network access to those listener ports at the firewall level.
๐ช MQTT ACL Bypass
While you are upgrading NATS, you also have to deal with a total authorization bypass. The broker completely fails to enforce access control lists for MQTT clients operating in the `$MQTT.>` namespace. Rogue edge endpoints can simply target this namespace to bypass restrictions and arbitrarily read or write to unauthorized topics across your infrastructure. There are absolutely zero configuration workarounds for this ACL failure. You either apply the patch, or you accept that your message bus is functionally wide open to any connected MQTT client.