Listen to this Post
When Chrome generates a ClientHello with GREASE ECH (a mechanism to randomize ECH extensions for privacy), it selects the cipher suite for both the outer handshake and the inner ECH consistently based on hardware capabilities (e.g., if AES is hardware-accelerated, it uses AES for both). The uTLS library’s Chrome parrot simulation, however, hardcoded an AES preference for the outer cipher suite but randomly selected the ECH cipher suite between AES and ChaCha20. This created a 50% probability of generating an impossible fingerprint where the outer layer uses AES while the inner ECH layer uses ChaCha20, a combination never produced by a real Chrome browser, allowing passive listeners to detect the use of a TLS fingerprinting tool with high confidence .
dailycve form:
Platform: uTLS library
Version: 2023.12-2025.10
Vulnerability: Cipher selection mismatch
Severity: Medium
date: 2026-02-18
Prediction: October 2025
What Undercode Say:
Analytics
The vulnerability stems from inconsistent cipher suite selection logic between the outer ClientHello and the GREASE ECH extension within the same simulated handshake. Real Chrome browsers, since implementing ECH around late 2023, base both selections on the same hardware capability check. uTLS versions from v1.6.0 (December 2023) to the fix in October 2025 (affecting symbols HelloChrome_120, HelloChrome_120_PQ, HelloChrome_131, HelloChrome_133) contained this behavioral mismatch. The flaw is particularly critical for anonymity tools because it creates a deterministic 50% detection rate per connection; for proxy software managing numerous concurrent TCP connections, this effectively results in 100% detection probability by monitoring systems like the GFW .
Bash commands and codes related to the blog
Check if your uTLS version is affected (if you have the source) grep -r "HelloChrome_12[0-3]|HelloChrome_13[1-3]" /path/to/utls/ For Go projects using uTLS, check your go.mod cd /your/project go list -m github.com/refraction-networking/utls If version is v1.6.0 to v1.6.7, you are affected before the fix Update uTLS to patched version go get github.com/refraction-networking/utls@latest go mod tidy Verify fix commit is included go list -m -json github.com/refraction-networking/utls | grep 24bd1e05
Exploit:
The vulnerability is triggered simply by using specific uTls fingerprints (Chrome parrots) to generate a ClientHello for a server that does not support ECH, causing the library to insert a GREASE ECH extension. The detection is passive: a listener captures the TLS ClientHello, parses the outer cipher suite list and the GREASE ECH extension’s inner cipher suite, and checks for the impossible combination (AES outer + ChaCha20 ECH). A mismatch immediately flags the connection as using a forged fingerprint. This requires no active tampering and leaves no log on the client system, making it extremely difficult for the user to detect they have been identified .
Protection from this CVE
- Update uTLS: Apply the fix from commit `24bd1e05a788c1add7f3037f4532ea552b2cee07` (uTLS version after October 13, 2025) .
- Change Fingerprint: For users who cannot update immediately (e.g., Xray-core users), modify the TLS fingerprint setting from `chrome` to other browsers like `firefox` or
ios, or disable uTLS fingerprinting entirely using `unsafe` (though this may break Reality features) . - Monitor Security Advisories: Track the uTLS GitHub repository for any further behavioral patches related to ECH or GREASE implementations.
Impact
Any software relying on uTLS to simulate Chrome’s TLS fingerprint (e.g., Xray-core, sing-box, various proxy and anti-censorship tools) between December 2023 and October 2025 was vulnerable to passive identification . The impact is severe for users in censored regions, as it undermines the core purpose of fingerprint obfuscation. A censor can passively monitor traffic and, with near 100% certainty over a session, identify connections using the flawed Chrome parrot, potentially leading to connection throttling, blocking, or increased scrutiny without the user’s knowledge.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
