diff --git a/common/uuid/uuid.go b/common/uuid/uuid.go
index 4ede12e6..ef6da4cb 100644
--- a/common/uuid/uuid.go
+++ b/common/uuid/uuid.go
@@ -85,10 +85,14 @@ func ParseString(str string) (UUID, error) {
 	b := uuid.Bytes()
 
 	for _, byteGroup := range byteGroups {
-		if text[0] == '-' {
+		if len(text) > 0 && text[0] == '-' {
 			text = text[1:]
 		}
 
+		if len(text) < byteGroup {
+			return uuid, errors.New("invalid UUID: ", str)
+		}
+
 		if _, err := hex.Decode(b[:byteGroup/2], text[:byteGroup]); err != nil {
 			return uuid, err
 		}
diff --git a/common/uuid/uuid_test.go b/common/uuid/uuid_test.go
index 6f26ca5b..7d909a78 100644
--- a/common/uuid/uuid_test.go
+++ b/common/uuid/uuid_test.go
@@ -44,6 +44,11 @@ func TestParseString(t *testing.T) {
 	if err == nil {
 		t.Fatal("Expect error but nil")
 	}
+
+	_, err = ParseString("2418d087-648d-4990-86e8-19dca1d0")
+	if err == nil {
+		t.Fatal("Expect error but nil")
+	}
 }
 
 func TestNewUUID(t *testing.T) {
diff --git a/proxy/vless/encoding/encoding.go b/proxy/vless/encoding/encoding.go
index b3b43bac..6cbacd8d 100644
--- a/proxy/vless/encoding/encoding.go
+++ b/proxy/vless/encoding/encoding.go
@@ -93,7 +93,7 @@ func DecodeRequestHeader(isfb bool, first *buf.Buffer, reader io.Reader, validat
 
 		if request.User = validator.Get(id); request.User == nil {
 			u := uuid.UUID(id)
-			return nil, nil, nil, isfb, errors.New("invalid request user id: %s" + u.String())
+			return nil, nil, nil, isfb, errors.New("invalid request user id: " + u.String())
 		}
 
 		if isfb {