PT-2026-2971 — Outray

PT-2026-2971 · Npm · Outray

Published

2026-01-13

Updated

2026-01-13

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H

Summary

This vulnerability allows a user i.e a free plan user to get more than the desired subdomains due to lack of db transaction lock mechanisms in https://github.com/akinloluwami/outray/blob/main/apps/web/src/routes/api/%24orgSlug/subdomains/index.ts

Details

The affected code-:

//Race condition
    const [subscription] = await db
     .select()
     .from(subscriptions)
     .where(eq(subscriptions.organizationId, organization.id));

    const currentPlan = subscription?.plan || "free";
    const planLimits = getPlanLimits(currentPlan as any);
    const subdomainLimit = planLimits.maxSubdomains;

    const existingSubdomains = await db
     .select()
     .from(subdomains)
     .where(eq(subdomains.organizationId, organization.id));

    if (existingSubdomains.length >= subdomainLimit) {
     return json(
      {
       error: `Subdomain limit reached. The ${currentPlan} plan allows ${subdomainLimit} subdomain${subdomainLimit > 1 ? "s" : ""}.`,
      },
      { status: 403 },
     );
    }

    const existing = await db
     .select()
     .from(subdomains)
     .where(eq(subdomains.subdomain, subdomain))
     .limit(1);

    if (existing.length > 0) {
     return json({ error: "Subdomain already taken" }, { status: 409 });
    }

    const [newSubdomain] = await db
     .insert(subdomains)
     .values({
      id: crypto.randomUUID(),
      subdomain,
      organizationId: organization.id,
      userId: session.user.id,
     })
     .returning();

The first part of the code checks the user plan and determine his/her existing domains without locking the transaction and allowing it to run.

const existingSubdomains = await db
     .select()
     .from(subdomains)
     .where(eq(subdomains.organizationId, organization.id));

The other part of the code checks if the desired domain is more than the limit.

if (existingSubdomains.length >= subdomainLimit) {
     return json(
      {
       error: `Subdomain limit reached. The ${currentPlan} plan allows ${subdomainLimit} subdomain${subdomainLimit > 1 ? "s" : ""}.`,
      },
      { status: 403 },
     );
    }

Finally, it inserts the subdomain also after the whole check without locking transactions.

const [newSubdomain] = await db
     .insert(subdomains)
     .values({
      id: crypto.randomUUID(),
      subdomain,
      organizationId: organization.id,
      userId: session.user.id,
     })
     .returning();

An attacker can exploit this by making parallel requests to the same endpoint and if the second request reads row subdomains before the INSERT statement of request one is made.It allows the attacker to act on a not yet updated row which bypasses the checks and allow the attacker to get more subdomains.For example-:

 Parallel request 1                Parallel Request 2  
   |                                   |
checks for                           Checks the not yet updated
available subdomain                   row and bypasses the logic checks
and determines if it is more than limit
  |                                    |
Inserts subdomain and calls it a day      Also inserts the subdomain

The attack focuses on exploiting the race window between reading and writing the db rows.

PoC

Intercept with Burp proxy,pass to Repeater and create multiple requests in a single batch with different subdomain names as seen below. Lastly, send the requests in parallel.