## Summary Hysteria's UDP relay treats the destination address as packet-scoped, but ACL and outbound policy are applied only once when a new UDP session is created. After an authenticated client opens a UDP session using an allowed first destination, later packets in the same `Session ID` can be sent to different destinations without re-running ACL evaluation. This allows an authenticated user to bypass server-side UDP ACL rules and reach localhost or RFC1918/private-network UDP services from the server's network perspective, even when those destinations are explicitly rejected by ACL. Verified on current HEAD at commit `64c396385631579598cc29d5561bff98c439772f`. ## Why this is a security issue This report is not based on the assumption that one UDP session must be bound to one destination. The protocol and official client both support per-packet destinations: - `PROTOCOL.md:93-107` defines each `UDPMessage` as carrying its own `Addr` field. - `core/client/udp.go:52-62` exposes `Send(data, addr)`, allowing the same UDP session to send to arbitrary addresses. The problem is that the security-relevant destination is packet-scoped, while ACL and outbound authorization are cached at session scope. This is also not a `RequestHook`-bypass claim. I understand `RequestHook` is first-packet-oriented. The broader issue is that operator-configured ACL policy intended to block UDP destinations is not enforced on later packets within the same session. Because the ACL documentation is presented as the mechanism for handling or blocking client requests, and includes examples of denying `udp/443` and private network CIDRs, operators can reasonably rely on ACL as a UDP egress security boundary. This boundary can currently be bypassed by reusing a previously authorized UDP session. ## Root cause The relevant flow appears to be: - `core/server/udp.go:280-299`: when a new session is created, the first destination is passed through `m.io.Hook(...)`, logged, and then `m.io.UDP(addr)` is called once to create the outbound UDP connection. - `core/server/server.go:397-398`: `m.io.UDP(addr)` delegates to `io.Outbound.UDP(reqAddr)`. - `app/cmd/server.go:1187-1190`: resolver, ACL, and actual outbounds are intentionally chained through the `Outbound` interface. - `core/server/udp.go:125`: the initial outbound connection is created only from the first packet via `DialFunc(firstMsg.Addr, firstMsg.Data)`. - `core/server/udp.go:92-111`: later packets in the same session take the current packet address and directly call `e.conn.WriteTo(dfMsg.Data, addr)` without re-running ACL or outbound policy evaluation. In other words, destination selection is packet-scoped, but authorization is session-scoped. ## Impact Any authenticated client that is allowed to use UDP relay can: - open one UDP session using an allowed first destination; - reuse the same session to send packets to destinations that ACL should reject; - reach UDP services on `127.0.0.1` or on RFC1918/private-network addresses from the server's network perspective. In real deployments, this can expose internal-only UDP services such as: - internal DNS resolvers; - service discovery endpoints; - telemetry or metrics listeners; - local administrative daemons; - application-specific UDP services intended to be reachable only from localhost or the internal network. This breaks the server's documented ACL-based UDP egress restrictions. ## Reproduction Two cases were reproduced with integration tests. ### Case 1: localhost bypass ACL: ```text direct(127.0.0.1, udp/<allowedPort>) reject(127.0.0.1/32) ``` Steps: 1. Start one UDP echo service on `127.0.0.1:<allowedPort>`. 2. Start another UDP echo service on `127.0.0.1:<blockedPort>`. 3. Connect an authenticated Hysteria client and create one UDP session. 4. Send a packet to the allowed loopback destination to establish the session. 5. Reuse the same UDP session and send a packet to the blocked loopback destination. Observed result: - The second packet is relayed successfully and the blocked loopback service replies. Expected result: - The second packet should be rejected because `127.0.0.1/32` is denied by ACL. ### Case 2: private-network bypass ACL: ```text direct(127.0.0.1, udp/<allowedPort>) reject(10.0.0.0/8) ``` or the corresponding local RFC1918 range, such as `192.168.0.0/16` or `172.16.0.0/12`. Steps: 1. Start one UDP echo service on `127.0.0.1:<allowedPort>`. 2. Start another UDP echo service on a real RFC1918 address of the server host. 3. Connect an authenticated Hysteria client and create one UDP session. 4. Send a packet to the allowed loopback destination first. 5. Reuse the same UDP session and send a packet to the RFC1918 destination. Observed result: - The private-address packet is relayed successfully and receives a reply. Expected result: - The packet should be rejected by ACL. ## PoC and local evidence A local integration test file was added during verification: - `core/internal/integration_tests/udp_private_acl_bypass_test.go` The two tests are: - `TestClientServerUDPACLBYPASSLoopback` - `TestClientServerUDPACLBYPASSPrivateIPv4` They can be executed with: ```bash go test ./core/internal/integration_tests -run 'TestClientServerUDPACLBYPASS(Loopback|PrivateIPv4)' -count=1 ``` The tests pass locally and demonstrate that a destination blocked by ACL becomes reachable after the session is established with an allowed first destination. ## Suggested fixes Any of the following would address the issue: 1. Re-evaluate ACL and outbound policy for every defragmented UDP packet before forwarding it with `WriteTo`. 2. Alternatively, enforce a single immutable destination per UDP session and reject destination changes after the first packet. 3. Ensure logging and policy hooks are aligned with the chosen model so that policy enforcement and observability reflect the real per-packet destination. ## Severity assessment Suggested CVSS v3.1 vector: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L` This reflects a network-reachable issue with low attack complexity, requiring only an authenticated client, no victim interaction, and allowing impact beyond the proxy process by exposing localhost and internal-network UDP resources from the server's trust boundary.
PoC: CVE-2025-8110
PoC exploit for CVE-2025-8110
PoC: CVE-2026-45504
CVE-2026-45504 Microsoft Exchange File Read
PoC: katana
Let's hijack our bootchain - CVE-2021-30327
PoC: CVE-2026-24418
OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module.
PoC: OpenSTAManager-RCE-Exploit-CVE-2026-38751
OpenSTAManager-RCE-Exploit-CVE-2026-38751
PoC: pagecache-lpe-containment-kit
Educational, defensive kit for two Linux page-cache-corruption LPEs (DirtyClone CVE-2026-43503, pedit COW CVE-2026-46331): hardening, detection, verification, seccomp + validation harness. Detection and prevention only — no exploit code. TLP:CLEAR.
PoC: By-Poloss..-..CVE-2026-12432-PoC
WP Full Stripe Free <= 8.4.3 - Missing Authorization
PoC: CVE-2026-43499
CVE-2026-43499 PoC
PoC: CVE-2026-20251
CVE-2026-20251 — Splunk Secure Gateway jsonpickle deserialization RCE (CVSS 8.8) | ReactiveZero Security Research
PoC: pdf.js-CVE-2024-4367
SCAN END POC THE CVE-2024-4367
PoC: CVE-2026-48908
CVE-2026-48908
PoC: CVE-2020-24186
Exploit para RCE (Remote Code Exec) CVE de plugin vulnerable en Wordpress WP-Discuz en versión 7.0.4
PoC: CVE-2026-56111
Proof of concept for CVE-2026-56111, an out-of-bounds write in the M421 G-code handler of Marlin Firmware
PoC: CVE_2024_1086_vulnerability_check
CVE-2024-1086 vulnerability
PoC: CVE-2026-43503
DirtyClone - local privilege escalation (LPE) proof-of-concept targeting a kernel/XFRM-related vulnerability described in the source as CVE-2026-43503
PoC: cve-2026-9082-drupal
drupal-postgresql-rce
PoC: graylog-cve-2024-24824-exploit
Proof-of-concept exploit for CVE-2024-24824 demonstrating how an arbitrary class loading primitive can be transformed into remote code execution on vulnerable Graylog deployments.
PoC: CVE-2026-55200
CVE-2026-55200 - Critical libssh2 Remote Code Execution Vulnerability
PoC: By-Poloss..-..CVE-2026-48939
iCagenda Unauthenticated File Upload to RCE
PoC: cve-2025-0133
CVE-2025-0133 Scanner | Palo Alto GlobalProtect XSS Checker
PoC: CVE-2026-22226
Proof of Concept for the CVE-2026-22226
PoC: CVE-2026-20253
POC for CVE-2026-20253
PoC: Joomla_CVE_2026_48907
cve-2026-48907 scanner
PoC: DirtyClone
Python Proof of Concept for DirtyClone (CVE-2026-43503) - Linux kernel LPE via page-cache corruption
PoC: WiseDelete
Windows utility that demonstrates user-mode interaction with the vulnerable WiseDelfile64.sys driver and uses CVE-2025-66680 to perform kernel-assisted file deletion.
PoC: CVE-2025-55182-React2Shell-RCE
React2Shell (CVE-2025-55182) PoC
PoC: CVE-2026-48908
Unauthenticated RCE PoC for CVE-2026-48908 SP Page Builder (Joomla) arbitrary file upload and remote code execution exploit with mass scaning support.
PoC: WiseDelete
A lightweight Windows utility demonstrating user-mode interaction with the vulnerable WiseDelfile64.sys driver using CVE-2025-66680 to perform kernel-assisted file deletion.
PoC: CVE-2026-23918-Double-free-Apache-httpd-mod_http2
Double-free in Apache httpd mod_http2 stream cleanup leading to pre-auth RCE
PoC: CVE-2023-0386-OverlayFS
Copy fake in-memory files to disk using overlayFS
PoC: CVE-2026-49048-JoomCCK-SQLi
CVE-2026-49048 — JoomCCK 6.4.0 Unauthenticated SQL Injection (CVSS 9.8)
PoC: crypto-lab-merkle-proofs
Browser-based Merkle tree demo — build a tree, generate inclusion proofs, recompute the root hash by hash, and replay the RFC 6962 second-preimage and CVE-2012-2459 attacks. Real SHA-256. No backend.
PoC: react2shell-exploit
React2Shell: CVE-2025-55182
PoC: CVE-2026-12485
CVE-2026-12485
PoC: DevHub-HTB-Walkthrough
Hack The Box - DevHub Machine Walkthrough (Medium Linux, CVE-2026-23744, Chisel Tunneling, Jupyter, Root Privilege Escalation)
PoC: CVE-2026-41179
POC for CVE-2026-41179
PoC: dirtyclone-exploit
CVE-2026-46331 — Linux Kernel Local Privilege Escalation TC pedit + IPsec TEE Page Cache Corruption · Affected kernels: ≤ 6.12.9
PoC: CVE-2026-27654
Обзор n-day уязвимости на русском языке.
PoC: CVE-2026-41940-PoC
CVE-2026-41940 authentication bypass vulnerability proof-of-concept
PoC: laravel-filemanager-unrestricted-upload
PoC for CVE-2025-56399 - Unrestricted File Upload leading to RCE in alexusmai/laravel-file-manager (≤3.3.1). Automates detection, CSRF extraction, and File Upload
PoC: DirtyClone
DirtyClone - local privilege escalation (LPE) proof-of-concept targeting a kernel/XFRM-related vulnerability described in the source as CVE-2026-43503
PoC: CVE-2025-69212-Authenticated-RCE-PoC
Automated PoC for CVE-2025-69212 - OpenSTAManager <=2.9.8 authenticated RCE
PoC: ffmpeg-jellyfix
patched ffmpeg-tools for jellyfin to patch CVE-2026-8461 aka PixelSmash
PoC: prefect-cve-2026-5366
PoC for CVE-2026-5366: git argument injection in Prefect's GitRepository leading to RCE on the worker.
PoC: CVE-2026-0073-Android-ADBD-bypass-POC_zh_CN
CVE-2026-0073-Android-ADBD-bypass-POC汉化版
PoC: CVE-2026-48907
CVE-2026-48907 is a CVSS 10.0 pre-auth RCE in Joomla Content Editor affecting all versions ≤ 2.9.99.4. The Grayxploit team breaks down the 3-weakness chain — missing auth, no extension validation, and an unsafe upload flag — that lets attackers pop a shell in 3 HTTP requests.
PoC: htb-orion-writeup
Hack The Box - Orion (Easy) | CVE-2025-32432 & CVE-2026-24061
PoC: CVE-2026-36834
Out-of-bounds array read in LibRaw
PoC: masta-cve-2026-48907
cve-2026-48907 scanner
PoC: CVE-2026-46331
CVE-2026-46331 - Draft
PoC: CVE-2026-8932
CVE-2026-8932
PoC: CVE-2025-58434-Flowiseai-Auth-Bypass-PoC
Flowiseai Flowise Auth Bypass Vulnerability Proof of Concept
PoC: CVE-2026-46331
CVE-2026-46331
PoC: CVE-2026-12415-or-CVE-2026-12416.py
CVE-2026-12415-or-CVE-2026-12416.py
PoC: By-Poloss..-..CVE-2026-39938
Cacti <= 1.2.30
PoC: smbghost
scanner for CVE-2020-0796
PoC: CVE-2026-26980-PoC
Ghost CMS Content API Blind SQL Injection
PoC: CVE-2026-46558
Plane’s V2 asset subsystem trusted workspace slugs and asset UUIDs without enforcing the right membership checks, which let one authenticated user read, copy, delete, and overwrite assets in other workspaces.
PoC: CVE-2026-45806
Penpot's remote image import let an authenticated file editor turn a normal media convenience feature into backend-origin SSRF because attacker-controlled URLs crossed into a redirect-following server fetch path without destination filtering.
PoC: CVE-2026-45806
Penpot's remote image import let an authenticated file editor turn a normal media convenience feature into backend-origin SSRF because attacker-controlled URLs crossed into a redirect-following server fetch path without destination filtering.
PoC: CVE-2026-42089
A local package installation helper trusted caller-supplied package names too much. In yeoman-environment, missing generators could be installed without user confirmation, turning attacker-controlled project metadata into a package-install and code-execution path.
PoC: CVE-2026-34207
The SSRF filter checked hostname text, but the actual destination was decided later by DNS. That gap let attacker-controlled Webhook URLs reach loopback, metadata, and private network targets.
PoC: CVE-2026-34213
A low-privileged Docmost user could supply a victim attachmentId to the generic upload endpoint and overwrite another page's stored attachment inside the same workspace.
PoC: CVE-2026-34212
Docmost accepted a javascript: URL inside an attachment node, preserved it through storage and rendering, and turned it back into a clickable anchor in the Docmost origin.
PoC: CVE-2026-33146
A public share looked clean in the page tree, but the search endpoint told a different story. In Docmost, restricted child pages hidden from public share viewers could still leak through public share search results.
PoC: CVE-2026-54807
CVE-2026-54807 WooCommerce Privilege Escalation ║ ║ Unauthenticated Admin Role Assignment via Reg. Form
PoC: metasploitable2-exploitation-metasploit
Full Metasploit exploitation walkthrough against Metasploitable2 — vsftpd backdoor, Samba CVE-2007-2447, UnrealIRCd backdoor, Netcat exfiltration, and credential cracking prep.
PoC: CVE-2026-8461
CVE-2026-8461
PoC: Amaranth-Project
CVE-2025-8088 exploitation chain + Quasar C2 multi-stage payload delivery
PoC: CVE-2026-13036-PoC
PoC for CVE-2026-13036 — Use-after-free in Blink WidgetBase::UpdateSurfaceAndScreenInfo (Chrome < 149.0.7827.197)
PoC: CVE-2026-24207-triton
PoC + analysis for CVE-2026-24207 / CVE-2026-24206 — NVIDIA Triton SageMaker & Vertex AI auth-restriction bypass + RCE chain
PoC: CVE-2026-26980-Ghost-CMS-Api
CVE-2026-26980 - Ghost CMS Content API SQL Injection
PoC: CVE-2026-43503
CVE-2026-43503
PoC: CVE-2026-55584
CVE-2026-55584 — phpSysInfo IP Allowlist Bypass
PoC: CVE-2023-45866---Blue-exploit
POC for CVE-2023-45866 affecting Latest Android devices.
PoC: CVE-2025-61155
CVE-2025-61155 — arbitrary process termination in GameDriverX64.sys (Tower of Fantasy anti-cheat). Original IDA Pro teardown, PoC, YARA, IOCs, mitigation.
PoC: CVE-2026-4253-Scanner
Non-destructive vulnerability scanner for NGINX HTTP/3 (ngx_http_v3_module). It ONLY performs a safe probe: opens an HTTP/3 (QUIC) connection, sends a single HEAD request and inspects the `Server` response header. It NEVER attempts to reopen a QPACK encoder stream or trigger the use-after-free.
PoC: CVE-2026-23111
Linux Kernel nf_tables Use-After-Free (CVE-2026-23111) — LPE PoC
PoC: CVE-2026-7574
CVE-2026-7574
PoC: cve-2019-9053-py3
Unauthenticated time-based blind SQL injection exploit for CMS Made Simple ≤ 2.2.9 (CVE-2019-9053), ported to Python 3.
PoC: CVE-2025-67038
CVE-2025-67038 - Draft
PoC: CVE-2026-53075poc
POC of CVE-2026-53075
PoC: kernel-exploit-dirtycow
Lab — Privilege Escalation via Dirty Cow CVE-2016-5195 | 4Geeks Academy
PoC: CVE-2021-29441
CVE-2021-29441 - Nacos Authentication Bypass
PoC: CVE-2021-22205
CVE-2021-22205 - GitLab Unauthenticated Remote Code Execution
PoC: C-test-2
Dependabot security automerge test - ejs CVE-2022-29078
PoC: CVE-2026-38526-POC
Proof of Concept of CVE-2026-38526 in Krayin CRM <= v2.2.x. Arbitrary File Upload leading to Remote Code Execution
PoC: vuln-ejs-critical
npm repo with ejs CVE-2022-29078 (CVSS 9.8, EPSS 32%) for Dependabot automerge testing
PoC: FreePBX-SQLi-RCE
CVE-2025-57819 FreePBX SQLi RCE PoC
PoC: CVE-2026-12416-CVE-2026-12417
Unauthenticated Account Takeover via Weak Password Reset Validation via 'reset_user_id' Parameter | Unauthenticated Privilege Escalation via Weak Password Reset Validation via 'reset_activation_code' Leading to Account Takeover
PoC: CVE-2022-37706
ROOT TOOL
PoC: React2Shell-PoC-CVE-2025-55182
Khai thác lỗ hổng bảo mật CVE-2025-55182
PoC: Vulnerability-CVE-2025-64446-CVE-2025-58034
Lỗ hổng FORTIWEB_CVE-2025-64446 & CVE-2025-58034
PoC: Camera-Dahua-Research-l-h-ng-CVE-2021-33044
DAHUA_AUTH-BYPASS-CVE-2021-33044
PoC: CVE-2026-48908
Unauthenticated RCE PoC for CVE-2026-48908 SP Page Builder (Joomla) arbitrary file upload and remote code execution exploit with mass scaning support.
PoC: PoC_CVE-2025-32432
CraftCMS CVE-2025-32432 - Clean PoC
PoC: CVE-2026-48908-SP-Page-Builder-Joomla
CVE-2026-48908 - SP Page Builder Joomla Unauthenticated RCE
PoC: CVE-2026-8461
CVE-2026-8461 - Draft
PoC: rootpacket-cve-2026-31431
CVE-2026-31431 getroot.c from a Turkish Malware
PoC: CVE-Wordpress
CVE-2026-49777, CVE-2026-10735 - Draft
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Get alerted for CVEs like this
Register your stack and get notified within minutes when a matching CVE drops.
Start monitoring free