Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
ZEBRA is a Zcash node written entirely in Rust. From zebrad versions 2.2.0 to before 4.3.1 and from zebra-rpc versions 1.0.0-beta.45 to before 6.0.2, a vulnerability in Zebra's JSON-RPC HTTP middleware allows an authenticated RPC client to cause a Zebra node to crash by disconnecting before the request body is fully received. The node treats the failure to read the HTTP request body as an unrecoverable error and aborts the process instead of returning an error response. This issue has been patched in zebrad version 4.3.1 and zebra-rpc version 6.0.2.
AnalysisAI
Denial of service in Zebra's JSON-RPC HTTP middleware allows authenticated RPC clients to crash a Zebra node by disconnecting mid-request, exploiting improper error handling that treats incomplete HTTP body reads as unrecoverable failures instead of returning error responses. Affects zebrad versions 2.2.0 through 4.3.0 and zebra-rpc versions 1.0.0-beta.45 through 6.0.1. No public exploit code or active exploitation confirmed; patch available in zebrad 4.3.1 and zebra-rpc 6.0.2.
Technical ContextAI
Zebra is a Zcash blockchain node implementation written in Rust. The vulnerability resides in the JSON-RPC HTTP middleware layer that handles incoming RPC requests over HTTP. The root cause is CWE-248 (Uncaught Exception), where the middleware fails to properly handle exceptions or error conditions when reading the incoming HTTP request body. When a client disconnects or resets the TCP connection before transmitting the complete request body, the middleware's HTTP request parsing logic encounters a read failure. Rather than gracefully handling this I/O error and returning an HTTP error response (e.g., 400 Bad Request), the middleware treats it as an unrecoverable fatal error and calls process abort(), immediately terminating the entire Zebra node. This affects both the standalone zebrad binary (versions 2.2.0-4.3.0) and the zebra-rpc crate library (versions 1.0.0-beta.45-6.0.1) which provide the HTTP middleware implementation.
RemediationAI
Upgrade zebrad to version 4.3.1 or later, and zebra-rpc to version 6.0.2 or later. The patched versions propagate HTTP request body read failures as ordinary error responses (HTTP 400 or similar) rather than aborting the process. If immediate upgrade is not feasible, implement strict network isolation by binding the RPC interface to localhost only and ensuring cookie authentication remains enabled (the default configuration). If RPC must be exposed to untrusted networks, restrict access via firewall rules or reverse proxy authentication in front of the Zebra node. Be aware that these mitigations reduce availability and administrative flexibility but do not fully eliminate the DoS risk if authentication credentials are compromised.
Same weakness CWE-248 – Uncaught Exception
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28655