How severe is GHSA-45hj-9x76-wp9g?

GHSA-45hj-9x76-wp9g has a CVSS score of 5.9/10, rated MEDIUM. Review your exposure and patch according to your risk tolerance.

Which packages are affected by GHSA-45hj-9x76-wp9g?

GHSA-45hj-9x76-wp9g affects the following packages: outray (npm). Ecosystems affected: npm.

How do I fix GHSA-45hj-9x76-wp9g?

Update outray to 0.1.5 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-45hj-9x76-wp9g is resolved across your whole dependency graph.

How do I detect GHSA-45hj-9x76-wp9g in my npm dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for outray. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-45hj-9x76-wp9g if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-45hj-9x76-wp9g?

O3 pinpoints whether GHSA-45hj-9x76-wp9g is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-45hj-9x76-wp9g actively exploited in the wild?

No public exploit code has been indexed for GHSA-45hj-9x76-wp9g yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-45hj-9x76-wp9g?

GHSA-45hj-9x76-wp9g has an EPSS (Exploit Prediction Scoring System) score of 0.2%, placing it in the 11th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

What type of vulnerability is GHSA-45hj-9x76-wp9g?

GHSA-45hj-9x76-wp9g is classified as CWE-366 (CWE-366). This weakness type describe the underlying flaw category, which helps determine the potential impact and the right class of mitigation.

When was GHSA-45hj-9x76-wp9g published, and has it been updated?

GHSA-45hj-9x76-wp9g was published on January 13, 2026 and was last updated on February 3, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

📦 npm

GHSA-45hj-9x76-wp9g

MEDIUM

Outray has a Race Condition in the cli's webapp

Also known asCVE-2026-22819

Published

Jan 13, 2026

Updated

Feb 3, 2026

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

0.2%probability of exploitation in next 30 days

Lower Risk11th percentile+0.17%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected

Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.

outraynpm

46downloads / week

Description

Summary

This vulnerability allows a user i.e a free plan user to get more than the desired subdomains due to lack of db transaction lock mechanisms in https://github.com/akinloluwami/outray/blob/main/apps/web/src/routes/api/%24orgSlug/subdomains/index.ts

Details

The affected code-:

//Race condition
        const [subscription] = await db
          .select()
          .from(subscriptions)
          .where(eq(subscriptions.organizationId, organization.id));

        const currentPlan = subscription?.plan || "free";
        const planLimits = getPlanLimits(currentPlan as any);
        const subdomainLimit = planLimits.maxSubdomains;

        const existingSubdomains = await db
          .select()
          .from(subdomains)
          .where(eq(subdomains.organizationId, organization.id));

        if (existingSubdomains.length >= subdomainLimit) {
          return json(
            {
              error: `Subdomain limit reached. The ${currentPlan} plan allows ${subdomainLimit} subdomain${subdomainLimit > 1 ? "s" : ""}.`,
            },
            { status: 403 },
          );
        }

        const existing = await db
          .select()
          .from(subdomains)
          .where(eq(subdomains.subdomain, subdomain))
          .limit(1);

        if (existing.length > 0) {
          return json({ error: "Subdomain already taken" }, { status: 409 });
        }

        const [newSubdomain] = await db
          .insert(subdomains)
          .values({
            id: crypto.randomUUID(),
            subdomain,
            organizationId: organization.id,
            userId: session.user.id,
          })
          .returning();

The first part of the code checks the user plan and determine his/her existing_domains without locking the transaction and allowing it to run.

const existingSubdomains = await db
          .select()
          .from(subdomains)
          .where(eq(subdomains.organizationId, organization.id));

The other part of the code checks if the desired domain is more than the limit.

if (existingSubdomains.length >= subdomainLimit) {
          return json(
            {
              error: `Subdomain limit reached. The ${currentPlan} plan allows ${subdomainLimit} subdomain${subdomainLimit > 1 ? "s" : ""}.`,
            },
            { status: 403 },
          );
        }

Finally, it inserts the subdomain also after the whole check without locking transactions.

const [newSubdomain] = await db
          .insert(subdomains)
          .values({
            id: crypto.randomUUID(),
            subdomain,
            organizationId: organization.id,
            userId: session.user.id,
          })
          .returning();

An attacker can exploit this by making parallel requests to the same endpoint and if the second request reads row subdomains before the INSERT statement of request one is made.It allows the attacker to act on a not yet updated row which bypasses the checks and allow the attacker to get more subdomains.For example-:

  Parallel request 1                               Parallel  Request  2    
     |                                                                     |
checks for                                                     Checks the not yet updated
available subdomain                                     row and bypasses the logic checks
and determines if it is more than limit
    |                                                                        |
Inserts subdomain and calls it a day           Also inserts the  subdomain

The attack focuses on exploiting the race window between reading and writing the db rows.

PoC

Intercept with Burp proxy,pass to Repeater and create multiple requests in a single batch with different subdomain names as seen below. Lastly, send the requests in parallel.

Result-:

Impact

The vulnerability provides an infiinite supply of domains to users bypassing the need for subscription

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
📦npm	`outray`	all versions	0.1.5

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for outray. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update outray to 0.1.5 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-45hj-9x76-wp9g is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-45hj-9x76-wp9g is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-45hj-9x76-wp9g. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary This vulnerability allows a user i.e a free plan user to get more than the desired subdomains due to lack of db transaction lock mechanisms in `https://github.com/akinloluwami/outray/blob/main/apps/web/src/routes/api/%24orgSlug/subdomains/index.ts` ### Details - The affected code-: ```ts //Race condition const [subscription] = await db .select() .from(subscriptions) .where(eq(subscriptions.organizationId, organization.id)); const currentPlan = subscription?.plan || "free"; const planLimits = getPlanLimits(currentPlan as any);

O3 Security · Impact-Aware SCA

Is GHSA-45hj-9x76-wp9g in your dependencies?

O3 detects GHSA-45hj-9x76-wp9g across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works