CVE-2026-40303
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected.
- Attack Vector: Network - exploitable via a single HTTP request with a crafted Cookie header.
- Attack Complexity: Low - no preconditions or chaining required; the attacker only needs to know the cookie name (publicly derivable from any OAuth redirect).
- Privileges Required: None - reached before JWT validation or any authentication check.
- User Interaction: None.
- Scope: Unchanged - impact is confined to the affected proxy process.
- Confidentiality Impact: None.
- Integrity Impact: None.
Availability Impact: High - sustained or concurrent requests cause OOM process termination, taking down the proxy for all users of all shares it serves.
Affected Components
- endpoints/oauthCookies.go - GetSessionCookie (line 81)
- endpoints/publicProxy/authOAuth.go - handleOAuth (line 50) - call site, pre-auth
- endpoints/dynamicProxy/cookies.go - getSessionCookie (line 29) - call site
Analysis
Summary endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected.
- Attack Vector: Network - exploitable via a single HTTP request with a crafted Cookie header.
- Attack Complexity: Low - no preconditions or chaining required; the attacker only needs to know the cookie name (publicly derivable from any OAuth redirect).
- Privileges Required: None - reached before JWT validation or any authentication check.
- User Interaction: None.
- Scope: Unchanged - impact is confined to the affected proxy process.
- Confidentiality Impact: None.
- Integrity Impact: None.
Availability Impact: High - sustained or concurrent requests cause OOM process termination, taking down the proxy for all users of all shares it serves.
Affected Components
- endpoints/oauthCookies.go - GetSessionCookie (line 81)
- endpoints/publicProxy/authOAuth.go - handleOAuth (line 50) - call site, pre-auth
- endpoints/dynamicProxy/cookies.go - getSessionCookie (line 29) - call site
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-cpf9-ph2j-ccr9