DNA View

High Severity Vulnerability

This vulnerability has been rated as High severity. Immediate action is recommended.

CVE-2026-40303

High

Low Medium High Critical

7.5

CVSS Score

Published: Apr 17, 2026

Last Modified: Apr 17, 2026

CWE: CWE-400

Vulnerability Description

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected. Version 2.0.1 patches the issue.

CVSS Metrics

Common Vulnerability Scoring System

Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

References & Resources

Severity Details

7.5

out of 10.0

High

Weakness Type (CWE)

CWE-400

Uncontrolled Resource Consumption

Description: The product does not properly control the allocation and maintenance of a limited resource.
Exploit Likelihood: High
Typical Severity: High
Abstraction Level: Class