GHSA-VGRC-HQ28-P3XP is a high-severity server-side request forgery (SSRF) vulnerability in github.com/apernet/hysteria/core/v2 (go), affecting versions >= 2.0.0, <= 2.9.1. It is fixed in 2.9.2.
Summary Hysteria's UDP relay treats the destination address as packet-scoped, but ACL and outbound policy are applied only once when a new UDP session is created. After an authenticated client opens a UDP session using an allowed first destination, later packets in the same Session ID can be sent to different destinations without re-running ACL evaluation. This allows an authenticated user to bypass server-side UDP ACL rules and reach localhost or RFC1918/private-network UDP services from the server's network perspective, even when those destinations are explicitly rejected by ACL. Verified on current HEAD at commit 64c396385631579598cc29d5561bff98c439772f. Why this is a security issue This report is not based on the assumption that one UDP session must be bound to one destination. The protocol and official client both support per-packet destinations: PROTOCOL.md:93-107 defines each UDPMessage as carrying its own Addr field. core/client/udp.go:52-62 exposes Send(data, addr), allowing the same UDP session to send to arbitrary addresses. The problem is that the security-relevant destination is packet-scoped, while ACL and outbound authorization are cached at session scope. This is also not a RequestHook-bypass claim. I understand RequestHook is first-packet-oriented. The broader issue is that operator-configured ACL policy intended to block UDP destinations is not enforced on later packets within the same session. Because the ACL documentation is presented as the mechanism for handling or blocking client requests, and includes examples of denying udp/443 and private network CIDRs, operators can reasonably rely on ACL as a UDP egress security boundary. This boundary can currently be bypassed by reusing a previously authorized UDP session. Root cause The relevant flow appears to be: core/server/udp.go:280-299: when a new session is created, the first destination is passed through m.io.Hook(...), logged, and then m.io.UDP(addr) is called once to create the outbound UDP connection. core/server/server.go:397-398: m.io.UDP(addr) delegates to io.Outbound.UDP(reqAddr). app/cmd/server.go:1187-1190: resolver, ACL, and actual outbounds are intentionally chained through the Outbound interface. core/server/udp.go:125: the initial outbound connection is created only from the first packet via DialFunc(firstMsg.Addr, firstMsg.Data). core/server/udp.go:92-111: later packets in the same session take the current packet address and directly call e.conn.WriteTo(dfMsg.Data, addr) without re-running ACL or outbound policy evaluation. In other words, destination selection is packet-scoped, but authorization is session-scoped. Impact Any authenticated client that is allowed to use UDP relay can: open one UDP session using an allowed first destination; reuse the same session to send packets to destinations that ACL should reject; reach UDP services on 127.0.0.1 or on RFC1918/private-network addresses from the server's network perspective. In real deployments, this can expose internal-only UDP services such as: internal DNS resolvers; service discovery endpoints; telemetry or metrics listeners; local administrative daemons; application-specific UDP services intended to be reachable only from localhost or the internal network. This breaks the server's documented ACL-based UDP egress restrictions. Reproduction Two cases were reproduced with integration tests. Case 1: localhost bypass ACL: Steps: Start one UDP echo service on 127.0.0.1:<allowedPort>. Start another UDP echo service on 127.0.0.1:<blockedPort>. Connect an authenticated Hysteria client and create one UDP session. Send a packet to the allowed loopback destination to establish the session. Reuse the same UDP session and send a packet to the blocked loopback destination. Observed result: The second packet is relayed successfully and the blocked loopback service replies. Expected result: The second packet should be rejected because 127.0.0.1/32 is denied by ACL. Case 2: private-network bypass ACL: or the corresponding local RFC1918 range, such as 192.168.0.0/16 or 172.16.0.0/12. Steps: Start one UDP echo service on 127.0.0.1:<allowedPort>. Start another UDP echo service on a real RFC1918 address of the server host. Connect an authenticated Hysteria client and create one UDP session. Send a packet to the allowed loopback destination first. Reuse the same UDP session and send a packet to the RFC1918 destination. Observed result: The private-address packet is relayed successfully and receives a reply. Expected result: The packet should be rejected by ACL. PoC and local evidence A local integration test file was added during verification: core/internal/integrationtests/udpprivateaclbypass_test.go The two tests are: TestClientServerUDPACLBYPASSLoopback TestClientServerUDPACLBYPASSPrivateIPv4 They can be executed with: The tests pass locally and demonstrate that a destination blocked by ACL becomes reachable after the session is established with an allowed first destination. Suggested fixes Any of the following would address the issue: Re-evaluate ACL and outbound policy for every defragmented UDP packet before forwarding it with WriteTo. Alternatively, enforce a single immutable destination per UDP session and reject destination changes after the first packet. Ensure logging and policy hooks are aligned with the chosen model so that policy enforcement and observability reflect the real per-packet destination. Severity assessment Suggested CVSS v3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L This reflects a network-reachable issue with low attack complexity, requiring only an authenticated client, no victim interaction, and allowing impact beyond the proxy process by exposing localhost and internal-network UDP resources from the server's trust boundary.
Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside. Typical impact: access to internal metadata services, internal APIs, or cloud credentials.
GHSA-VGRC-HQ28-P3XP has a CVSS score of 7.4 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (2.9.2). Upgrading removes the vulnerable code path.
go
github.com/apernet/hysteria/core/v2 (>= 2.0.0, <= 2.9.1)github.com/apernet/hysteria/core/v2 → 2.9.2 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether GHSA-VGRC-HQ28-P3XP is reachable in your applications. Explore open-source security for your team.
See if GHSA-VGRC-HQ28-P3XP is reachable in your applications. Get a demo
Already deployed Kodem? See GHSA-VGRC-HQ28-P3XP in your environment →Upgrade github.com/apernet/hysteria/core/v2 to 2.9.2 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
GHSA-VGRC-HQ28-P3XP is a high-severity server-side request forgery (SSRF) vulnerability in github.com/apernet/hysteria/core/v2 (go), affecting versions >= 2.0.0, <= 2.9.1. It is fixed in 2.9.2. Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside.
GHSA-VGRC-HQ28-P3XP has a CVSS score of 7.4 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
github.com/apernet/hysteria/core/v2 (go) versions >= 2.0.0, <= 2.9.1 is affected.
Yes. GHSA-VGRC-HQ28-P3XP is fixed in 2.9.2. Upgrade to this version or later.
Whether GHSA-VGRC-HQ28-P3XP is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade github.com/apernet/hysteria/core/v2 to 2.9.2 or later.