Uncaught Exception Affecting zebrad package, versions <4.5.0


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Uncaught Exception vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RUST-ZEBRAD-17808054
  • published3 Jul 2026
  • disclosed2 Jul 2026
  • creditUnknown

Introduced: 2 Jul 2026

NewCVE-2026-52731  (opens in a new tab)
CWE-248  (opens in a new tab)

How to fix?

Upgrade zebrad to version 4.5.0 or higher.

Overview

zebrad is a The Zcash Foundation's independent, consensus-compatible implementation of a Zcash node

Affected versions of this package are vulnerable to Uncaught Exception via the getblocktemplate process when parsing a user-supplied LongPollId parameter containing non-ASCII (multi-byte UTF-8) characters. An attacker can cause the node process to terminate unexpectedly by sending a specially crafted authenticated RPC request with a malformed LongPollId value. This is only exploitable if the RPC server is enabled and the attacker can authenticate to the RPC endpoint.

Workaround

This vulnerability can be mitigated by disabling the RPC server, ensuring enable_cookie_auth = true and restricting access to the .cookie file, or placing a reverse proxy in front of the RPC port that validates LongPollId parameters are ASCII-only before forwarding.

CVSS Base Scores

version 4.0
version 3.1