Hysteria: http large header with sniff cause server DoS
Sending an excessively large header by an attacker could lead to a server-side DoS attack.
Advisories for Golang/Github.com/Apernet/Hysteria package
2026
Hysteria vulnerable to server crash when max_datagram_frame_size very small
An authenticated client can crash the Hysteria server by advertising a very small QUIC max_datagram_frame_size and then triggering a UDP response from the server. When the server tries to send the UDP response back via QUIC DATAGRAM, quic-go returns DatagramTooLargeError. The server then attempts to fragment the Hysteria UDP message, but the fragmentation code does not handle the case where the UDP message header itself is larger than the maximum …
Hysteria has an authenticated UDP ACL bypass that enables localhost and private-network UDP SSRF
Hysteria's UDP relay treats the destination address as packet-scoped, but ACL and outbound policy are applied only once when a new UDP session is created. After an authenticated client opens a UDP session using an allowed first destination, later packets in the same Session ID can be sent to different destinations without re-running ACL evaluation. This allows an authenticated user to bypass server-side UDP ACL rules and reach localhost or …
Hysteria: A specially constructed quic package can crash the server OOM when the sniff is enabled
A specially constructed quic package can crash the server OOM when the sniff is enabled.