CVE-2026-40303
HIGH7.5EPSS 0.03%zrok: Unauthenticated DoS via unbounded memory allocation in striped session cookie parsing
Description
**Summary** endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected. - Attack Vector: Network — exploitable via a single HTTP request with a crafted Cookie header. - Attack Complexity: Low — no preconditions or chaining required; the attacker only needs to know the cookie name (publicly derivable from any OAuth redirect). - Privileges Required: None — reached before JWT validation or any authentication check. - User Interaction: None. - Scope: Unchanged — impact is confined to the affected proxy process. - Confidentiality Impact: None. - Integrity Impact: None. Availability Impact: High — sustained or concurrent requests cause OOM process termination, taking down the proxy for all users of all shares it serves. **Affected Components** - endpoints/oauthCookies.go — GetSessionCookie (line 81) - endpoints/publicProxy/authOAuth.go — handleOAuth (line 50) — call site, pre-auth - endpoints/dynamicProxy/cookies.go — getSessionCookie (line 29) — call site
Affected packages (2)
- Go/github.com/openziti/zrokfrom 0, <= 1.1.11
- Go/github.com/openziti/zrok/v2from 0, < 2.0.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |