[CRITICAL] Arbitrary TCP Connection Abuse - CVE-HSYNC-2026-002

## Security Vulnerability Report

**Severity**: CRITICAL (CVSS 9.1)
**File**: `lib/socket-relays.js`

### Description
The `connectSocket` function allows remote peers to establish arbitrary TCP connections to any host/port combination without authentication or validation. The whitelist/blacklist functionality is implemented but not enforced (TODO comment).

### Vulnerable Code
```javascript
//  TODO: check white and black lists on peer
socket.connect(relay.targetPort, relay.targetHost, () => {
```

### Impact
- Internal network scanning
- SSRF attacks
- Lateral movement
- Access to internal services

### Recommendation
Implement and enforce whitelist/blacklist validation, add authentication checks, and restrict target destinations.

### References
- Found during security audit of hsync reverse proxy
- Part of comprehensive security review identifying 13 vulnerabilities

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[CRITICAL] Arbitrary TCP Connection Abuse - CVE-HSYNC-2026-002 #27

Security Vulnerability Report

Description

Vulnerable Code

Impact

Recommendation

References

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

[CRITICAL] Arbitrary TCP Connection Abuse - CVE-HSYNC-2026-002 #27

Description

Security Vulnerability Report

Description

Vulnerable Code

Impact

Recommendation

References

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions