Outray Subscription Tunnel Limit Bypass Vulnerability
Vulnerability
A TOCTOU race condition vulnerability has been identified in Outray, an open-source alternative to ngrok, prior to version 0.1.5. This vulnerability allows users to exceed the number of active tunnels permitted by their subscription plan. The issue arises in the tunnel registration process, where concurrent requests can manipulate the system into bypassing tunnel limits.
Impact
Exploiting this vulnerability allows users to create more active tunnels than their subscription plan allows, without incurring additional charges.
Reproduction
The vulnerability can be reproduced by sending multiple simultaneous requests to the '/api/tunnel/register' endpoint. This can be done using the Outray command-line application, which will initiate several tunnel registrations at the same time. The race condition occurs because the application does not properly lock database transactions, allowing the same user to exceed their tunnel limit.
Remediation
Users can update to Outray version 0.1.5 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.