Infinite Tunnels, One Free Plan: Race Conditioning Outray
Jan 14, 2026·7 min read·1 visit
Executive Summary (TL;DR)
Outray, a localhost tunneling tool, trusted its limit-checking logic a bit too much. The server checked if a user had hit their tunnel cap, then—after a brief pause—created the tunnel. By sending concurrent requests during that pause, attackers can trick the server into authorizing more tunnels than the subscription allows. The fix involves implementing database transactions with row-level locking.
A classic Time-of-Check to Time-of-Use (TOCTOU) race condition in the Outray CLI allows users to bypass subscription limits by flooding the registration endpoint. By failing to wrap database checks and insertions in an atomic transaction, the system allows free-tier users to spin up unlimited tunnels.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:LAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
outray akinloluwami | < 2026-01-13 | 08c61495761349e7fd2965229c3faa8d7b1c1581 (Commit) |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-367 (TOCTOU Race Condition) |
| Attack Vector | Network (API) |
| CVSS | 5.4 (Moderate) |
| Impact | Resource Exhaustion / Billing Bypass |
| Exploit Status | PoC Available |
| Patch Date | 2026-01-13 |
MITRE ATT&CK Mapping
The software checks the state of a resource before using it, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.