Zebra Denial-of-Service Vulnerability via Interrupted JSON-RPC Requests from Authenticated Clients

A denial-of-service vulnerability has been identified in ZEBRA, a Zcash node implementation in Rust. This issue affects zebrad versions 2.2.0 prior to 4.3.1 and zebra-rpc versions 1.0.0-beta.45 prior to 6.0.2. The vulnerability arises in Zebra's JSON-RPC HTTP middleware, where an authenticated RPC client can cause a Zebra node to crash by disconnecting before the entire request body is received. The node mistakenly interprets this interruption as a critical error, leading to an abrupt process termination instead of sending an error response. This flaw has been addressed in zebrad version 4.3.1 and zebra-rpc version 6.0.2.

Impact

Exploitation of this vulnerability causes an immediate crash of the Zebra node, disrupting its availability and functionality.

Remediation

Users are advised to upgrade to Zebra version 4.3.1 or later. If an immediate upgrade is not feasible, ensure that the RPC port is not exposed to untrusted networks and that cookie authentication remains enabled, as these measures can help mitigate the risk.