CRE-2025-0049

NATS Payload Size Too BigLow

Impact: 2/10

Mitigation: 8/10

CRE-2025-0049View on GitHub

NATSPublic

Description

The NATS server is configured to publish messages with payloads that may

exceed the recommended maximum of 8 MB (the server’s default hard limit

is 1 MB but it can be raised to 64 MB). Large messages put disproportionate pressure on

broker memory, network buffers, and client back-pressure mechanisms.

This warning signals NATS is at risk of degraded throughput, slow

consumers, and forced connection closures intended to protect cluster

stability.

Cause

• The `max_payload` setting was increased (or left unbounded) in the

server configuration, allowing oversized publishes.

• Clients are batching or embedding large binary blobs (e.g., files,

images, or protocol-buffer frames) directly in message bodies instead

of using object storage or chunking.

• Producers lack safeguards to check server-advertised limits at

connection time, so later code changes silently begin sending bigger

payloads.

Mitigation

• Enforce tighter limits: set `max_payload` to a value ≤ 8 MB (or

lower) in `nats-server.conf`; smaller limits force clients to chunk or

off-load large data.

• Chunk or stream: split large blobs into smaller messages that the

consumer reassembles, or publish to JetStream Object Store / external

storage and send only references.

• Add client-side guards: validate payload size before every

publish and reject or compress anything that would breach the limit.

• Monitor log & metrics: alert on the warning string and track

memory, pending bytes, and slow-consumer disconnect counts.

References

• https://docs.nats.io/reference/faq#is-there-a-message-size-limitation-in-nats