Skip to main content

CVE-2026-40303

HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-04-16 https://github.com/openziti/zrok GHSA-cpf9-ph2j-ccr9
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch released
Apr 17, 2026 - 02:30 nvd
Patch available
CVE Published
Apr 16, 2026 - 21:09 nvd
HIGH 7.5

DescriptionGitHub Advisory

Summary endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected.

  • Attack Vector: Network - exploitable via a single HTTP request with a crafted Cookie header.
  • Attack Complexity: Low - no preconditions or chaining required; the attacker only needs to know the cookie name (publicly derivable from any OAuth redirect).
  • Privileges Required: None - reached before JWT validation or any authentication check.
  • User Interaction: None.
  • Scope: Unchanged - impact is confined to the affected proxy process.
  • Confidentiality Impact: None.
  • Integrity Impact: None.

Availability Impact: High - sustained or concurrent requests cause OOM process termination, taking down the proxy for all users of all shares it serves.

Affected Components

  • endpoints/oauthCookies.go - GetSessionCookie (line 81)
  • endpoints/publicProxy/authOAuth.go - handleOAuth (line 50) - call site, pre-auth
  • endpoints/dynamicProxy/cookies.go - getSessionCookie (line 29) - call site

Analysis

Summary endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected.

  • Attack Vector: Network - exploitable via a single HTTP request with a crafted Cookie header.
  • Attack Complexity: Low - no preconditions or chaining required; the attacker only needs to know the cookie name (publicly derivable from any OAuth redirect).
  • Privileges Required: None - reached before JWT validation or any authentication check.
  • User Interaction: None.
  • Scope: Unchanged - impact is confined to the affected proxy process.
  • Confidentiality Impact: None.
  • Integrity Impact: None.

Availability Impact: High - sustained or concurrent requests cause OOM process termination, taking down the proxy for all users of all shares it serves.

Affected Components

  • endpoints/oauthCookies.go - GetSessionCookie (line 81)
  • endpoints/publicProxy/authOAuth.go - handleOAuth (line 50) - call site, pre-auth
  • endpoints/dynamicProxy/cookies.go - getSessionCookie (line 29) - call site

Share

CVE-2026-40303 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy