{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/zrok/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["dos","vulnerability","zrok","CVE-2026-40303"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA denial-of-service vulnerability exists in zrok versions 1.1.11 and earlier, as well as versions 2.0.0 and earlier, due to unbounded memory allocation in the \u003ccode\u003eGetSessionCookie\u003c/code\u003e function. This function, located in \u003ccode\u003eendpoints/oauthCookies.go\u003c/code\u003e, parses an attacker-supplied cookie chunk count and calls \u003ccode\u003emake([]string, count)\u003c/code\u003e without any upper bound before token validation. Since this function is invoked on every request to an OAuth-protected proxy share, an unauthenticated remote attacker can send a single HTTP request with a crafted Cookie header to trigger gigabyte-scale heap allocations. This can lead to process-level out-of-memory (OOM) termination or repeated goroutine panics, effectively disabling the proxy server and impacting all users of the affected shares. Both \u003ccode\u003epublicProxy\u003c/code\u003e and \u003ccode\u003edynamicProxy\u003c/code\u003e are affected. This vulnerability is identified as CVE-2026-40303.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a zrok proxy server running a vulnerable version (\u0026lt;= 1.1.11 or \u0026lt; 2.0.1).\u003c/li\u003e\n\u003cli\u003eThe attacker discovers an OAuth-protected proxy share. The cookie name is publicly derivable from any OAuth redirect.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP request with a Cookie header.\u003c/li\u003e\n\u003cli\u003eThe Cookie header is specifically crafted to include a large chunk count.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eendpoints.GetSessionCookie\u003c/code\u003e function in \u003ccode\u003eendpoints/oauthCookies.go\u003c/code\u003e is called to parse the cookie.\u003c/li\u003e\n\u003cli\u003eInside \u003ccode\u003eGetSessionCookie\u003c/code\u003e, \u003ccode\u003emake([]string, count)\u003c/code\u003e is called with the attacker-controlled count from the cookie, resulting in unbounded memory allocation.\u003c/li\u003e\n\u003cli\u003eThe excessive memory allocation leads to either OOM termination of the zrok proxy process, or repeated goroutine panics.\u003c/li\u003e\n\u003cli\u003eThe zrok proxy server becomes unavailable, impacting all users of all shares it serves.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition. The zrok proxy server becomes unavailable, preventing legitimate users from accessing proxied resources. The number of affected users depends on the deployment size, but all users of any shares served by the affected proxy instance will be impacted until the service restarts or the vulnerability is patched. The targeted sector is any organization utilizing zrok for secure tunneling and sharing of resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch for CVE-2026-40303 by upgrading to zrok version 1.1.12 or later, or 2.0.1 or later.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on incoming HTTP requests to the zrok proxy to mitigate the impact of potential exploitation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Cookie Header Size\u003c/code\u003e to identify requests with abnormally large cookie sizes.\u003c/li\u003e\n\u003cli\u003eMonitor zrok proxy server resource utilization (CPU, memory) for unexpected spikes, which could indicate exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T12:00:00Z","date_published":"2026-04-17T12:00:00Z","id":"/briefs/2026-04-zrok-dos/","summary":"An unauthenticated attacker can cause a denial-of-service (DoS) in zrok by sending a crafted HTTP request with a large cookie chunk count to an OAuth-protected proxy share, triggering unbounded memory allocation and leading to process termination.","title":"zrok Unauthenticated Denial-of-Service Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-zrok-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Zrok","version":"https://jsonfeed.org/version/1.1"}