CRE-2025-0049
NATS Payload Size Too BigLowImpact: 2/10Mitigation: 8/10
Description
The NATS server is configured to publish messages with payloads that may\nexceed the recommended maximum of 8 MB (the server’s default hard limit\nis 1 MB but it can be raised to 64 MB). Large messages put disproportionate pressure on \nbroker memory, network buffers, and client back-pressure mechanisms.\nThis warning signals NATS is at risk of degraded throughput, slow\nconsumers, and forced connection closures intended to protect cluster\nstability.\n
Mitigation
- **Enforce tighter limits**: set `max_payload` to a value ≤ 8 MB (or\n lower) in `nats-server.conf`; smaller limits force clients to chunk or\n off-load large data.\n- **Chunk or stream**: split large blobs into smaller messages that the\n consumer reassembles, or publish to JetStream Object Store / external\n storage and send only references.\n- **Add client-side guards**: validate payload size before every\n publish and reject or compress anything that would breach the limit.\n- **Monitor log & metrics**: alert on the warning string and track\n memory, pending bytes, and slow-consumer disconnect counts.\n