GHSA-29X4-R6JV-FF4W: GHSA-29X4-R6JV-FF4W: Denial of Service via Interrupted JSON-RPC Requests in Zebra zebra-rpc

#security #cve #cybersecurity #ghsa

GHSA-29X4-R6JV-FF4W: Denial of Service via Interrupted JSON-RPC Requests in Zebra zebra-rpc

Vulnerability ID: GHSA-29X4-R6JV-FF4W
CVSS Score: 6.5
Published: 2026-04-18

A Denial of Service (DoS) vulnerability exists in the Zebra Zcash node's JSON-RPC interface. An authenticated attacker can crash the node daemon by abruptly terminating an HTTP request during the payload transmission phase, exploiting unhandled I/O errors in the zebra-rpc crate.

TL;DR

Zebra nodes prior to version 4.3.1 are vulnerable to a persistent DoS attack. Authenticated clients sending partial HTTP requests followed by a TCP RST can trigger an unhandled panic in the RPC middleware.

Technical Details

Advisory ID: GHSA-29X4-R6JV-FF4W
CWE Class: CWE-248 (Uncaught Exception)
Attack Vector: Network
Authentication Required: Yes
Base CVSS Score: 6.5
Exploit Status: None
Patched Version: 4.3.1

Affected Systems

zebra-rpc crate
zebrad node daemon
zebra-rpc: < 4.3.1 (Fixed in: 4.3.1)
zebrad: < 4.3.1 (Fixed in: 4.3.1)

Mitigation Strategies

Upgrade the Zebra daemon to version 4.3.1 or higher.
Restrict JSON-RPC port access to trusted loopback interfaces.
Enforce strict firewall rules preventing external connections to port 8232 or 18232.
Implement process managers (e.g., systemd) configured to automatically restart the node upon unexpected termination.

Remediation Steps:

Verify current node version with zebrad --version.
Download the Zebra v4.3.1 release binaries or fetch the latest source code from the main repository.
Stop the running Zebra daemon.
Replace the existing zebrad binary with the v4.3.1 build.
Restart the node and verify that the daemon synchronizes properly with the network.