Reachable Assertion Affecting zebrad package, versions >=2.2.0 <4.3.1
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-ZEBRAD-16301609
- published27 Apr 2026
- disclosed18 Apr 2026
- creditshieldedonly
Introduced: 18 Apr 2026
New CVE NOT AVAILABLE CWE-248 (opens in a new tab)How to fix?
Upgrade zebrad to version 4.3.1 or higher.
Overview
zebrad is a The Zcash Foundation's independent, consensus-compatible implementation of a Zcash node
Affected versions of this package are vulnerable to Reachable Assertion via the JSON-RPC HTTP middleware process. An attacker can cause the node to crash by disconnecting before the HTTP request body is fully received, resulting in the process aborting instead of returning an error response. This is only exploitable if the attacker is an authenticated RPC client or if cookie authentication is disabled and the RPC interface is exposed to untrusted networks.
Workaround
This vulnerability can be mitigated by ensuring the RPC port is not exposed to untrusted networks and that cookie authentication remains enabled.