github-starred/frp
2
0
Fork 0
mirror of https://github.com/fatedier/frp.git synced 2026-05-15 08:05:49 -06:00
Code Issues 40 Projects Packages Wiki Activity Actions 1

[GH-ISSUE #3398] Security issue #2716

New issue
Closed
opened 2026-05-05 13:45:09 -06:00 by gitea-mirror · 3 comments
gitea-mirror commented 2026-05-05 13:45:09 -06:00
Owner
Copy link

Originally created by @gaycomputers on GitHub (Apr 11, 2023).
Original GitHub issue: https://github.com/fatedier/frp/issues/3398

Bug Description

Hello, I believe an attacker can use an active frps session (one they did not set up). This exposes a lot of attack surface, both in the parsing/passing of packets of frps, and in the server such as DoS.

For example, I have a frps server running on a gateway. It is forwarding my traffic on the port I want to my server (a game).
An attacker could do multiple things such as:
1. after causing a crash or connection loss on my gameserver, tell frps to connect to their machine with the same port- this would then route all legitimate traffic to my gateway to the attackers machine.
2. request a new connection to start forwarding new traffic from a different port to the attackers machine
3. exploit a vulnerability they discovered in the parsing of a packet handled by frps

A good fix for this would be to implement some kind of authentication between frps and frpc. In keeping with the simplicity of frp, it could even be as simple as a Y/n prompt in the frps when a frpc tries to connect. There could be a handshake using a key for unattended setup (avoiding the Y/n prompt).

frpc Version

0.48.0

frps Version

0.48.0

System Architecture

linux/amd64

Configurations

Most example configurations are affected.

Logs

No response

Steps to reproduce

...

Affected area

  • Docs
  • Installation
  • Performance and Scalability
  • Security
  • User Experience
  • Test and Release
  • Developer Infrastructure
  • Client Plugin
  • Server Plugin
  • Extensions
  • Others
Originally created by @gaycomputers on GitHub (Apr 11, 2023). Original GitHub issue: https://github.com/fatedier/frp/issues/3398 ### Bug Description Hello, I believe an attacker can use an active frps session (one they did not set up). This exposes a lot of attack surface, both in the parsing/passing of packets of frps, and in the server such as DoS. For example, I have a frps server running on a gateway. It is forwarding my traffic on the port I want to my server (a game). An attacker could do multiple things such as: 1. after causing a crash or connection loss on my gameserver, tell frps to connect to their machine with the same port- this would then route all legitimate traffic to my gateway to the attackers machine. 2. request a new connection to start forwarding new traffic from a different port to the attackers machine 3. exploit a vulnerability they discovered in the parsing of a packet handled by frps A good fix for this would be to implement some kind of authentication between frps and frpc. In keeping with the simplicity of frp, it could even be as simple as a Y/n prompt in the frps when a frpc tries to connect. There could be a handshake using a key for unattended setup (avoiding the Y/n prompt). ### frpc Version 0.48.0 ### frps Version 0.48.0 ### System Architecture linux/amd64 ### Configurations Most example configurations are affected. ### Logs _No response_ ### Steps to reproduce 1. 2. 4. ... ### Affected area - [ ] Docs - [ ] Installation - [ ] Performance and Scalability - [X] Security - [ ] User Experience - [ ] Test and Release - [ ] Developer Infrastructure - [ ] Client Plugin - [ ] Server Plugin - [ ] Extensions - [ ] Others
gitea-mirror 2026-05-05 13:45:09 -06:00
gitea-mirror commented 2026-05-05 13:45:13 -06:00
Author
Owner
Copy link

@fatedier commented on GitHub (Apr 11, 2023):

It can be implemented through server plugin.

<!-- gh-comment-id:1502617503 --> @fatedier commented on GitHub (Apr 11, 2023): It can be implemented through [server plugin](https://github.com/fatedier/frp#server-manage-plugins).
gitea-mirror commented 2026-05-05 13:45:14 -06:00
Author
Owner
Copy link

@Becods commented on GitHub (Apr 12, 2023):

Set token or oidc for your frps to ensure that an attacker does not forward your traffic to his machine without knowing your token.

7678938c08/conf/frps_full.ini (L79-L115)

Enable tls if necessary.

7678938c08/conf/frps_full.ini (L126-L131)

<!-- gh-comment-id:1504718801 --> @Becods commented on GitHub (Apr 12, 2023): Set token or oidc for your frps to ensure that an attacker does not forward your traffic to his machine without knowing your token. https://github.com/fatedier/frp/blob/7678938c088c8d57367494ad53dd5c3b9e0cca35/conf/frps_full.ini#L79-L115 Enable tls if necessary. https://github.com/fatedier/frp/blob/7678938c088c8d57367494ad53dd5c3b9e0cca35/conf/frps_full.ini#L126-L131
gitea-mirror commented 2026-05-05 13:45:14 -06:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (May 13, 2023):

Issues go stale after 30d of inactivity. Stale issues rot after an additional 7d of inactivity and eventually close.

<!-- gh-comment-id:1546469310 --> @github-actions[bot] commented on GitHub (May 13, 2023): Issues go stale after 30d of inactivity. Stale issues rot after an additional 7d of inactivity and eventually close.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
new
master
copilot/review-pull-request-5198
v0.68.1
v0.68.0
v0.67.0
v0.66.0
v0.65.0
v0.64.0
v0.63.0
v0.62.1
v0.62.0
v0.61.2
v0.61.1
v0.61.0
v0.60.0
v0.59.0
v0.58.1
v0.58.0
v0.57.0
v0.56.0
v0.55.1
v0.55.0
v0.54.0
v0.53.2
v0.53.1
v0.53.0
v0.52.3
v0.52.2
v0.52.1
v0.52.0
v0.51.3
v0.51.2
v0.51.1
v0.51.0
v0.50.0
v0.49.0
v0.48.0
v0.47.0
v0.46.1
v0.46.0
v0.45.0
v0.44.0
v0.43.0
v0.42.0
v0.41.0
v0.40.0
v0.39.1
v0.39.0
v0.38.0
v0.37.1
v0.37.0
v0.36.2
v0.36.1
v0.36.0
v0.35.1
v0.35.0
v0.34.3
v0.34.2
v0.34.1
v0.34.0
v0.33.0
v0.32.1
v0.32.0
v0.31.2
v0.31.1
v0.31.0
v0.30.0
v0.29.1
v0.29.0
v0.28.2
v0.28.1
v0.28.0
v0.27.1
v0.27.0
v0.26.0
v0.25.3
v0.25.2
v0.25.1
v0.25.0
v0.24.1
v0.24.0
v0.23.3
v0.23.2
v0.23.1
v0.23.0
v0.22.0
v0.21.0
v0.20.0
v0.19.1
v0.19.0
v0.18.0
v0.17.0
v0.16.1
v0.16.0
v0.15.1
v0.15.0
v0.14.1
v0.14.0
v0.13.0
v0.12.0
v0.11.0
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.1
v0.8.0
v0.7.0
v0.6.0
v0.5.0
v0.3.0
v0.2.0
v0.1.0
Labels
Clear labels   
In Progress

   
WIP

   
WaitingForInfo

   
bug

   
doc

   
duplicate

   
easy

   
enhancement

   
future

   
help wanted

   
invalid

   
lifecycle/stale

   
need-issue-template

   
need-usage-help

   
no plan

   
proposal

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
todo
No labels
In Progress
WIP
WaitingForInfo
bug
doc
duplicate
easy
enhancement
future
help wanted
invalid
lifecycle/stale
need-issue-template
need-usage-help
no plan
proposal
pull-request
question
todo
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#2716
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?