Vulnerability Details - CVE ID: CVE-2026-22820 - Severity: Moderate - Affected Package: Outray (npm) - Affected Versions: 0.1.3 - Patched Versions: None - Weakness: CWE-367 (Time-of-check to time-of-use (TOCTOU) race condition) Summary: A TOCTOU race condition vulnerability in the endpoint allows a user to exceed the set number of active tunnels in their subscription plan. Description: - The endpoint code does not properly handle race conditions. - The code checks if the tunnel exists in the database and verifies if the limit is exceeded. - If limits are exceeded, a tunnel limit error is returned. - However, if the limit is not exceeded, a new tunnel is registered without locking transactions from other requests. - Parallel requests by the can lead to a race condition, allowing a user to bypass the limit. Proof of Concept (PoC): A bash script is provided that uses to run the binary in the same tmux window, opening 4 tunnels. Impact: Exploiting the TOCTOU race condition bypasses the intended limit, consuming server resources without additional billing charges. Credits: - Reporter: gr33pp - Analyst: SENSEiXENUS