PT-2026-55467 · Crates.Io · Zebra-Rpc+1
Publicado
2026-07-02
·
Atualizado
2026-07-02
·
CVE-2026-52731
CVSS v3.1
6.5
Média
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Am I affected
You are affected if:
- You run
zebradup to and includingv4.4.1. - Your
zebrad.tomlsetsrpc.listen addrto a TCP address (RPC server is enabled). - An attacker can authenticate to the RPC endpoint. With the default
enable cookie auth = true, this requires the attacker to read the.cookiefile. Withenable cookie auth = false, any network client reaching the RPC port can trigger it.
Summary
The
getblocktemplate RPC handler panics when parsing a LongPollId parameter that contains non-ASCII (multi-byte UTF-8) characters. The handler performs byte-index string slicing on the user-supplied string, which panics in Rust when a byte index falls within a multi-byte character boundary. Because Zebra's release profile sets panic = "abort", the panic terminates the entire node process.Details
The
getblocktemplate handler receives a user-supplied LongPollId string and slices it at fixed byte offsets to extract the encoded tip hash and tip height. When the string contains multi-byte UTF-8 characters, a byte-index slice can land in the middle of a character, causing Rust's str indexing to panic with "byte index is not a char boundary."Under the
panic = "abort" release profile, this panic terminates the entire zebrad process rather than just the RPC task.Patches
zebra-rpc 8.0.0 and zebrad 4.5.0.
Replace byte-index string slicing with character-aware parsing or validate that the
LongPollId string contains only ASCII characters before slicing.Workarounds
- Disable the RPC server by removing
rpc.listen addrfromzebrad.toml. - Ensure
enable cookie auth = true(the default) and restrict filesystem access to the.cookiefile. - Place a reverse proxy in front of the RPC port that validates
LongPollIdparameters are ASCII-only before forwarding.
Impact
A single authenticated RPC request terminates the
zebrad process. Same impact profile as GHSA-c8w6-x74f-vmg3: repeatable on restart, affects mining pools and infrastructure that forward getblocktemplate calls.Credit
Reported by
@sangsoo-osec via a private GitHub Security Advisory submission.Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Zebra-Rpc
Zebrad