CVE-2026-40303

Name of the Vulnerable Software and Affected Versions zrok versions prior to 2.0.1

Description The GetSessionCookie() function in the endpoints module parses an attacker-supplied cookie chunk count and calls make([]string, count) without an upper bound before token validation. This occurs on every request to an OAuth-protected proxy share, specifically affecting publicProxy and dynamicProxy. An unauthenticated remote attacker can send a single HTTP request with a crafted Cookie header to trigger gigabyte-scale heap allocations, leading to process-level Out-of-Memory (OOM) termination or repeated goroutine panics, which results in a denial of service for all users of the shares served by the proxy.

Recommendations Update to version 2.0.1.