github · ryanbekhen · Apr 17, 2026
diff --git a/advisories/github-reviewed/2026/04/GHSA-cpf9-ph2j-ccr9/GHSA-cpf9-ph2j-ccr9.json b/advisories/github-reviewed/2026/04/GHSA-cpf9-ph2j-ccr9/GHSA-cpf9-ph2j-ccr9.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-cpf9-ph2j-ccr9",
-  "modified": "2026-04-16T21:09:08Z",
+  "modified": "2026-04-16T21:09:11Z",
   "published": "2026-04-16T21:09:08Z",
   "aliases": [
     "CVE-2026-40303"
   ],
   "summary": "zrok: Unauthenticated DoS via unbounded memory allocation in striped session cookie parsing",
-  "details": "**Summary**\nendpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected.\n\n- Attack Vector: Network — exploitable via a single HTTP request with a crafted Cookie header.\n- Attack Complexity: Low — no preconditions or chaining required; the attacker only needs to know the cookie name (publicly derivable from any OAuth redirect).\n- Privileges Required: None — reached before JWT validation or any authentication check.\n- User Interaction: None.\n- Scope: Unchanged — impact is confined to the affected proxy process.\n- Confidentiality Impact: None.\n- Integrity Impact: None.\n\nAvailability Impact: High — sustained or concurrent requests cause OOM process termination, taking down the proxy for all users of all shares it serves.\n\n**Affected Components**\n- endpoints/oauthCookies.go — GetSessionCookie (line 81)\n- endpoints/publicProxy/authOAuth.go — handleOAuth (line 50) — call site, pre-auth\n- endpoints/dynamicProxy/cookies.go — getSessionCookie (line 29) — call site",
+  "details": "**Summary**\nendpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected.\n\n- Attack Vector: Network — exploitable via a single HTTP request with a crafted Cookie header.\n- Attack Complexity: Low — no preconditions or chaining required; the attacker only needs to know the cookie name (publicly derivable from any OAuth redirect).\n- Privileges Required: None — reached before JWT validation or any authentication check.\n- User Interaction: None.\n- Scope: Unchanged — impact is confined to the affected proxy process.\n- Confidentiality Impact: None.\n- Integrity Impact: None.\n\nAvailability Impact: High — sustained or concurrent requests cause OOM process termination, taking down the proxy for all users of all shares it serves.\n\n**Affected Components**\n- endpoints/oauthCookies.go — GetSessionCookie (line 81)\n- endpoints/publicProxy/authOAuth.go — handleOAuth (line 50) — call site, pre-auth\n- endpoints/dynamicProxy/cookies.go — getSessionCookie (line 29) — call site\n\n**Suggested Improvements**\n- Add an upper bound check for cookie chunk count in `GetSessionCookie` to prevent unbounded memory allocation.\n- Perform token validation before any allocation occurs.\n- Implement graceful error handling when excessive or invalid cookie values are received.\n- Add unit tests simulating malicious cookie input to ensure robustness against DoS attempts.\n- Update documentation to recommend upgrading to v2.0.1 and monitoring memory usage in production deployments.\n",
   "severity": [
     {
       "type": "CVSS_V3",