Outray Race Condition: Bypassing Subscription Limits for Fun and Profit
Jan 14, 2026·5 min read·3 visits
Executive Summary (TL;DR)
Outray failed to use atomic transactions when checking user limits. Attackers could send parallel requests to register subdomains. The server would check the limit for all requests simultaneously (seeing '0 used'), pass them all, and then insert them all. Fixed by implementing pessimistic row-level locking.
A critical race condition in the Outray project allowed users to bypass subscription plan limits. By flooding the API with concurrent requests, attackers could register unlimited subdomains and tunnels, effectively rendering the monetization model useless.
Official Patches
Fix Analysis (2)
Technical Appendix
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:LAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Outray akinloluwami | < Commit 73e8a09 | Commit 73e8a09 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-367 (TOCTOU) |
| Attack Vector | Network (API) |
| CVSS v3.1 | 5.9 (Medium) |
| Impact | Business Logic Bypass |
| Prerequisites | Authenticated User (Low Priv) |
| Exploit Difficulty | Low (Scriptable) |
MITRE ATT&CK Mapping
The product checks the state of a resource before using it, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.