GHSA-c8w6-x74f-vmg3: zebrad vulnerable to full node denial of service via crafted Sapling receiver in z_listunifiedreceivers
The z_listunifiedreceivers RPC handler panics when processing a structurally valid Unified Address whose Sapling receiver carries 43 bytes that fail cryptographic validation (sapling_crypto::PaymentAddress::from_bytes returns None for non-subgroup Jubjub points). The handler calls .expect("using data already decoded as valid") on the fallible result. Because Zebra’s release profile sets panic = "abort", the panic terminates the entire node process, not just the RPC task.
References
- github.com/ZcashFoundation/zebra/blob/d4cd662c716382f6397d2a730148025a1ca79fec/Cargo.toml
- github.com/ZcashFoundation/zebra/blob/d4cd662c716382f6397d2a730148025a1ca79fec/zebra-rpc/src/methods.rs
- github.com/ZcashFoundation/zebra/security/advisories/GHSA-c8w6-x74f-vmg3
- github.com/advisories/GHSA-c8w6-x74f-vmg3
Code Behaviors & Features
Detect and mitigate GHSA-c8w6-x74f-vmg3 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →