diff --git a/advisories/github-reviewed/2026/04/GHSA-cpf9-ph2j-ccr9/GHSA-cpf9-ph2j-ccr9.json b/advisories/github-reviewed/2026/04/GHSA-cpf9-ph2j-ccr9/GHSA-cpf9-ph2j-ccr9.json index 193fef680dc87..72ee585b98657 100644 --- a/advisories/github-reviewed/2026/04/GHSA-cpf9-ph2j-ccr9/GHSA-cpf9-ph2j-ccr9.json +++ b/advisories/github-reviewed/2026/04/GHSA-cpf9-ph2j-ccr9/GHSA-cpf9-ph2j-ccr9.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-cpf9-ph2j-ccr9", - "modified": "2026-04-16T21:09:08Z", + "modified": "2026-04-16T21:09:11Z", "published": "2026-04-16T21:09:08Z", "aliases": [ "CVE-2026-40303" ], "summary": "zrok: Unauthenticated DoS via unbounded memory allocation in striped session cookie parsing", - "details": "**Summary**\nendpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected.\n\n- Attack Vector: Network — exploitable via a single HTTP request with a crafted Cookie header.\n- Attack Complexity: Low — no preconditions or chaining required; the attacker only needs to know the cookie name (publicly derivable from any OAuth redirect).\n- Privileges Required: None — reached before JWT validation or any authentication check.\n- User Interaction: None.\n- Scope: Unchanged — impact is confined to the affected proxy process.\n- Confidentiality Impact: None.\n- Integrity Impact: None.\n\nAvailability Impact: High — sustained or concurrent requests cause OOM process termination, taking down the proxy for all users of all shares it serves.\n\n**Affected Components**\n- endpoints/oauthCookies.go — GetSessionCookie (line 81)\n- endpoints/publicProxy/authOAuth.go — handleOAuth (line 50) — call site, pre-auth\n- endpoints/dynamicProxy/cookies.go — getSessionCookie (line 29) — call site", + "details": "**Summary**\nendpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected.\n\n- Attack Vector: Network — exploitable via a single HTTP request with a crafted Cookie header.\n- Attack Complexity: Low — no preconditions or chaining required; the attacker only needs to know the cookie name (publicly derivable from any OAuth redirect).\n- Privileges Required: None — reached before JWT validation or any authentication check.\n- User Interaction: None.\n- Scope: Unchanged — impact is confined to the affected proxy process.\n- Confidentiality Impact: None.\n- Integrity Impact: None.\n\nAvailability Impact: High — sustained or concurrent requests cause OOM process termination, taking down the proxy for all users of all shares it serves.\n\n**Affected Components**\n- endpoints/oauthCookies.go — GetSessionCookie (line 81)\n- endpoints/publicProxy/authOAuth.go — handleOAuth (line 50) — call site, pre-auth\n- endpoints/dynamicProxy/cookies.go — getSessionCookie (line 29) — call site\n\n**Suggested Improvements**\n- Add an upper bound check for cookie chunk count in `GetSessionCookie` to prevent unbounded memory allocation.\n- Perform token validation before any allocation occurs.\n- Implement graceful error handling when excessive or invalid cookie values are received.\n- Add unit tests simulating malicious cookie input to ensure robustness against DoS attempts.\n- Update documentation to recommend upgrading to v2.0.1 and monitoring memory usage in production deployments.\n", "severity": [ { "type": "CVSS_V3",