Description

Outray openSource ngrok alternative. Prior to 0.1.5, this vulnerability allows a user i.e a free plan user to get more than the desired subdomains due to lack of db transaction lock mechanisms in main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts. This vulnerability is fixed in 0.1.5.

Related CPE's

a

outray

outray

*

*

*

*

*

node.js

Vulnerable

References

https://github.com/outray-tunnel/outray/commit/73e8a09575754fb4c395438680454b2ec064d1d6

Patch

https://github.com/outray-tunnel/outray/security/advisories/GHSA-45hj-9x76-wp9g

ExploitVendor Advisory

Weaknesses

[email protected]

Primary
CWE-366

CVSS impact metrics

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H

5.9 · Medium

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2026-01-14T18:16:42.330Z

6 days ago

Last modified

2026-01-20T14:56:26.523Z

14 hours ago