Senseixenus

**Name of the Vulnerable Software and Affected Versions** Outray versions prior to 0.1.5 **Description** A flaw exists in Outray that allows a user, even those on a free plan, to obtain more subdomains than permitted due to missing database transaction locks. Specifically, the issue resides in the API endpoint `/api/$orgSlug/subdomains/index.ts`. The code checks the user's plan and existing subdomains without proper transaction locking, creating a race condition. An attacker can exploit this by sending parallel requests to the endpoint. If a second request reads the `subdomains` table before the first request's `INSERT` statement completes, it can bypass the subdomain limit check and successfully create additional subdomains. The attack exploits the time window between reading and writing database rows. A proof of concept demonstrates the ability to create multiple subdomains in parallel using a tool like Burp Suite, exceeding the allowed limit. **Recommendations** Versions prior to 0.1.5 should be updated to version 0.1.5 or later.