Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Unauthenticated Denial of Service via Oversized Cookie Parsing
GHSA-cpf9-ph2j-ccr9
CVE-2026-40303
Summary
An attacker can cause the proxy server to run out of memory by sending a specially crafted cookie, taking down the server for all users. This requires no authentication and can be done with a single malicious HTTP request. To fix this issue, update the code to validate cookie inputs before allocating memory.
What to do
- Update github.com openziti to version 2.0.1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| go | github.com | openziti | <= 1.1.11 |
| go | github.com | openziti |
< 2.0.1 Fix: upgrade to 2.0.1
|
Original title
zrok: Unauthenticated DoS via unbounded memory allocation in striped session cookie parsing
Original description
**Summary**
endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected.
- Attack Vector: Network — exploitable via a single HTTP request with a crafted Cookie header.
- Attack Complexity: Low — no preconditions or chaining required; the attacker only needs to know the cookie name (publicly derivable from any OAuth redirect).
- Privileges Required: None — reached before JWT validation or any authentication check.
- User Interaction: None.
- Scope: Unchanged — impact is confined to the affected proxy process.
- Confidentiality Impact: None.
- Integrity Impact: None.
Availability Impact: High — sustained or concurrent requests cause OOM process termination, taking down the proxy for all users of all shares it serves.
**Affected Components**
- endpoints/oauthCookies.go — GetSessionCookie (line 81)
- endpoints/publicProxy/authOAuth.go — handleOAuth (line 50) — call site, pre-auth
- endpoints/dynamicProxy/cookies.go — getSessionCookie (line 29) — call site
endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected.
- Attack Vector: Network — exploitable via a single HTTP request with a crafted Cookie header.
- Attack Complexity: Low — no preconditions or chaining required; the attacker only needs to know the cookie name (publicly derivable from any OAuth redirect).
- Privileges Required: None — reached before JWT validation or any authentication check.
- User Interaction: None.
- Scope: Unchanged — impact is confined to the affected proxy process.
- Confidentiality Impact: None.
- Integrity Impact: None.
Availability Impact: High — sustained or concurrent requests cause OOM process termination, taking down the proxy for all users of all shares it serves.
**Affected Components**
- endpoints/oauthCookies.go — GetSessionCookie (line 81)
- endpoints/publicProxy/authOAuth.go — handleOAuth (line 50) — call site, pre-auth
- endpoints/dynamicProxy/cookies.go — getSessionCookie (line 29) — call site
ghsa CVSS3.1
7.5
Vulnerability type
CWE-400
Uncontrolled Resource Consumption
CWE-789
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026