NIXPKGS-2026-1155

GitHub issue published on

Permalink CVE-2026-40303

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): HIGH

updated 1 week, 3 days ago by @LeSuisse Activity log

Created suggestion 1 week, 4 days ago
@LeSuisse ignored maintainer @bennyandresen 1 week, 3 days ago maintainer.ignore
@LeSuisse accepted 1 week, 3 days ago
@LeSuisse published on GitHub 1 week, 3 days ago

zrok allows unauthenticated DoS via unbounded memory allocation in striped session cookie parsing

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected. Version 2.0.1 patches the issue.

References

https://github.com/openziti/zrok/security/advisories/GHSA-cpf9-ph2j-ccr9 x_refsource_CONFIRM

Ignored references (1)

https://github.com/openziti/zrok/releases/tag/v2.0.1 x_refsource_MISC

Affected products

zrok

==< 2.0.1

Matching in nixpkgs

pkgs.zrok

Geo-scale, next-generation sharing platform built on top of OpenZiti

nixos-unstable 2.0.1
- nixpkgs-unstable 2.0.1
- nixos-unstable-small 2.0.1
nixos-25.11 1.0.4
- nixos-25.11-small 1.0.4
- nixpkgs-25.11-darwin 1.0.4

Package maintainers

Ignored maintainers (1)

@bennyandresen Benjamin Andresen <bandresen@gmail.com>

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1155

References

Affected products

Matching in nixpkgs

pkgs.zrok

Package maintainers