GHSA-c8w6-x74f-vmg3: zebrad vulnerable to full node denial of service via crafted Sapling receiver in z_listunifiedreceivers
A vulnerability in zebrad up to v4.4.1 allows an authenticated RPC client to cause a denial of service by sending a crafted Sapling receiver in the z_listunifiedreceivers RPC call. The RPC handler panics due to improper error handling of invalid Sapling receiver data, causing the entire node process to abort. This can be exploited repeatedly to keep the node offline. The issue is fixed in zebrad 4.5.0 and zebra-rpc 8.0.0.
AI Analysis
Technical Summary
The z_listunifiedreceivers RPC handler in zebrad versions up to and including v4.4.1 improperly handles structurally valid but cryptographically invalid Sapling receivers embedded in Unified Addresses. Specifically, the handler calls a function that returns None for invalid Jubjub subgroup points but uses .expect() on this result, causing a panic and process abort when invalid data is encountered. Because zebrad is compiled with panic = "abort", this terminates the entire node process, not just the RPC task. The vulnerability requires RPC authentication, which by default requires local access to the .cookie file, but can be exposed remotely if cookie authentication is disabled. The issue is fixed in zebra-rpc 8.0.0 and zebrad 4.5.0 by replacing the panic with proper error propagation.
Potential Impact
An authenticated attacker can send a single crafted RPC request to the z_listunifiedreceivers handler that causes the zebrad node process to abort immediately, resulting in a denial of service. The attack can be repeated indefinitely, preventing the node from operating until the malicious requests are blocked or the RPC server is disabled. This impacts node availability but does not affect confidentiality or integrity.
Mitigation Recommendations
A fix is available in zebrad 4.5.0 and zebra-rpc 8.0.0 that properly handles invalid Sapling receiver data without panicking. Until patched, operators should disable the RPC server by removing rpc.listen_addr from zebrad.toml, ensure enable_cookie_auth is true and restrict access to the .cookie file, or place a reverse proxy in front of the RPC port to filter out malicious z_listunifiedreceivers calls. These mitigations prevent unauthenticated or unauthorized triggering of the vulnerability.
GHSA-c8w6-x74f-vmg3: zebrad vulnerable to full node denial of service via crafted Sapling receiver in z_listunifiedreceivers
Description
A vulnerability in zebrad up to v4.4.1 allows an authenticated RPC client to cause a denial of service by sending a crafted Sapling receiver in the z_listunifiedreceivers RPC call. The RPC handler panics due to improper error handling of invalid Sapling receiver data, causing the entire node process to abort. This can be exploited repeatedly to keep the node offline. The issue is fixed in zebrad 4.5.0 and zebra-rpc 8.0.0.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The z_listunifiedreceivers RPC handler in zebrad versions up to and including v4.4.1 improperly handles structurally valid but cryptographically invalid Sapling receivers embedded in Unified Addresses. Specifically, the handler calls a function that returns None for invalid Jubjub subgroup points but uses .expect() on this result, causing a panic and process abort when invalid data is encountered. Because zebrad is compiled with panic = "abort", this terminates the entire node process, not just the RPC task. The vulnerability requires RPC authentication, which by default requires local access to the .cookie file, but can be exposed remotely if cookie authentication is disabled. The issue is fixed in zebra-rpc 8.0.0 and zebrad 4.5.0 by replacing the panic with proper error propagation.
Potential Impact
An authenticated attacker can send a single crafted RPC request to the z_listunifiedreceivers handler that causes the zebrad node process to abort immediately, resulting in a denial of service. The attack can be repeated indefinitely, preventing the node from operating until the malicious requests are blocked or the RPC server is disabled. This impacts node availability but does not affect confidentiality or integrity.
Mitigation Recommendations
A fix is available in zebrad 4.5.0 and zebra-rpc 8.0.0 that properly handles invalid Sapling receiver data without panicking. Until patched, operators should disable the RPC server by removing rpc.listen_addr from zebrad.toml, ensure enable_cookie_auth is true and restrict access to the .cookie file, or place a reverse proxy in front of the RPC port to filter out malicious z_listunifiedreceivers calls. These mitigations prevent unauthenticated or unauthorized triggering of the vulnerability.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-c8w6-x74f-vmg3
- Osv Schema Version
- 1.4.0
- Aliases
- []
- Ecosystems
- ["crates.io"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 3.1
Threat ID: 6a46ecb727e9c7971943ca24
Added to database: 07/02/2026, 22:56:55 UTC
Last enriched: 07/02/2026, 23:11:53 UTC
Last updated: 07/02/2026, 23:34:41 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.