Primary

Context

Zrok Unauthenticated Denial-of-Service Vulnerability via Unbounded Memory Allocation

Vulnerability

A denial-of-service vulnerability has been identified in Zrok versions prior to 2.0.1. The issue arises in the 'endpoints.GetSessionCookie' function, which processes an attacker-supplied cookie chunk count. This function is called on every request to an OAuth-protected proxy share, without any prior token validation. As a result, an unauthenticated remote attacker can induce massive heap allocations, leading to out-of-memory process termination or repeated goroutine panics. The vulnerability affects both 'publicProxy' and 'dynamicProxy'.

Impact

Exploitation of this vulnerability causes the proxy process to terminate due to excessive memory usage, disrupting service for all users and shares managed by the proxy.

Remediation

Users can upgrade to Zrok version 2.0.1 to address this vulnerability.

Added: Apr 17, 2026, 10:02 PM

Updated: Apr 17, 2026, 10:02 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

6.1

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

6.1

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Zrok Unauthenticated Denial-of-Service Vulnerability via Unbounded Memory Allocation

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating