Skip to main content

CRE-2025-0049

NATS Payload Size Too BigLow
Impact: 2/10
Mitigation: 8/10

CRE-2025-0049View on GitHub

Description

The NATS server is configured to publish messages with payloads that may exceed the recommended maximum of 8 MB (the server’s default hard limit is 1 MB but it can be raised to 64 MB). Large messages put disproportionate pressure on broker memory, network buffers, and client back-pressure mechanisms. This warning signals NATS is at risk of degraded throughput, slow consumers, and forced connection closures intended to protect cluster stability.

Mitigation

- **Enforce tighter limits**: set `max_payload` to a value ≤ 8 MB (or lower) in `nats-server.conf`; smaller limits force clients to chunk or off-load large data. - **Chunk or stream**: split large blobs into smaller messages that the consumer reassembles, or publish to JetStream Object Store / external storage and send only references. - **Add client-side guards**: validate payload size before every publish and reject or compress anything that would breach the limit. - **Monitor log & metrics**: alert on the warning string and track memory, pending bytes, and slow-consumer disconnect counts.

References