GHSA-qv2r-v3mx-f4pf: zebrad has full node denial of service via non-ASCII LongPollId in getblocktemplate
A vulnerability in zebrad up to and including v4.4.1 allows an authenticated RPC client to cause a denial of service by sending a getblocktemplate request with a non-ASCII LongPollId. The RPC handler performs byte-index slicing on the LongPollId string, which panics in Rust when multi-byte UTF-8 characters are present, terminating the entire node process. This affects nodes with RPC enabled via a TCP address and requires attacker authentication to the RPC endpoint. The issue is fixed in zebrad 4.5.0 and zebra-rpc 8.0.0.
AI Analysis
Technical Summary
The getblocktemplate RPC handler in zebrad versions up to v4.4.1 panics when parsing a LongPollId parameter containing non-ASCII UTF-8 characters due to byte-index string slicing that can land inside a multi-byte character boundary. Because zebrad is compiled with panic = "abort", this panic terminates the entire node process, resulting in a full node denial of service. The vulnerability requires the RPC server to be enabled on a TCP address and attacker authentication to the RPC endpoint. The issue is resolved by replacing byte-index slicing with character-aware parsing or validating the LongPollId as ASCII-only. Fixed in zebrad 4.5.0 and zebra-rpc 8.0.0.
Potential Impact
An authenticated attacker can send a specially crafted getblocktemplate RPC request with a non-ASCII LongPollId string, causing the zebrad node process to panic and terminate. This results in a full node denial of service. The impact affects mining pools and infrastructure that forward getblocktemplate calls. The denial of service is repeatable on node restart until patched or mitigated.
Mitigation Recommendations
A fix is available in zebrad 4.5.0 and zebra-rpc 8.0.0. Until upgrading, mitigate by disabling the RPC server (remove rpc.listen_addr from zebrad.toml), ensuring enable_cookie_auth is true and restricting access to the .cookie file, or placing a reverse proxy in front of the RPC port to validate that LongPollId parameters contain only ASCII characters before forwarding.
GHSA-qv2r-v3mx-f4pf: zebrad has full node denial of service via non-ASCII LongPollId in getblocktemplate
Description
A vulnerability in zebrad up to and including v4.4.1 allows an authenticated RPC client to cause a denial of service by sending a getblocktemplate request with a non-ASCII LongPollId. The RPC handler performs byte-index slicing on the LongPollId string, which panics in Rust when multi-byte UTF-8 characters are present, terminating the entire node process. This affects nodes with RPC enabled via a TCP address and requires attacker authentication to the RPC endpoint. The issue is fixed in zebrad 4.5.0 and zebra-rpc 8.0.0.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The getblocktemplate RPC handler in zebrad versions up to v4.4.1 panics when parsing a LongPollId parameter containing non-ASCII UTF-8 characters due to byte-index string slicing that can land inside a multi-byte character boundary. Because zebrad is compiled with panic = "abort", this panic terminates the entire node process, resulting in a full node denial of service. The vulnerability requires the RPC server to be enabled on a TCP address and attacker authentication to the RPC endpoint. The issue is resolved by replacing byte-index slicing with character-aware parsing or validating the LongPollId as ASCII-only. Fixed in zebrad 4.5.0 and zebra-rpc 8.0.0.
Potential Impact
An authenticated attacker can send a specially crafted getblocktemplate RPC request with a non-ASCII LongPollId string, causing the zebrad node process to panic and terminate. This results in a full node denial of service. The impact affects mining pools and infrastructure that forward getblocktemplate calls. The denial of service is repeatable on node restart until patched or mitigated.
Mitigation Recommendations
A fix is available in zebrad 4.5.0 and zebra-rpc 8.0.0. Until upgrading, mitigate by disabling the RPC server (remove rpc.listen_addr from zebrad.toml), ensuring enable_cookie_auth is true and restricting access to the .cookie file, or placing a reverse proxy in front of the RPC port to validate that LongPollId parameters contain only ASCII characters before forwarding.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-qv2r-v3mx-f4pf
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-52731"]
- Ecosystems
- ["crates.io"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 3.1
Threat ID: 6a46ecb927e9c7971943cb2c
Added to database: 07/02/2026, 22:56:57 UTC
Last enriched: 07/02/2026, 23:12:51 UTC
Last updated: 07/03/2026, 03:26:55 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.