Login Sign Up

CVE-2019-5163

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability allows remote attackers to cause a denial-of-service in Shadowsocks-libev by sending arbitrary UDP packets when using Stream Cipher with local_address configuration. The service will crash with a FATAL error, disrupting proxy functionality. Anyone running vulnerable versions of Shadowsocks-libev with UDPRelay enabled is affected.

💻 Affected Systems

Products:
  • Shadowsocks-libev
Versions: 3.3.2 and earlier
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using Stream Cipher (like RC4, ChaCha20) with local_address configuration and UDPRelay enabled.

📦 What is this software?

Backports by Opensuse

View all CVEs affecting Backports →

Leap by Opensuse

View all CVEs affecting Leap →

Shadowsocks Libev by Shadowsocks

View all CVEs affecting Shadowsocks Libev →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption requiring manual restart, potentially affecting all users relying on the Shadowsocks proxy for network connectivity.

🟠

Likely Case

Service crashes and becomes unavailable until restarted, causing temporary loss of proxy service for connected clients.

🟢

If Mitigated

No impact if patched or if vulnerable configurations are not used.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending crafted UDP packets to the vulnerable service.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.3 and later

Vendor Advisory: https://github.com/shadowsocks/shadowsocks-libev/releases

Restart Required: Yes

Instructions:

1. Update Shadowsocks-libev to version 3.3.3 or later. 2. Restart the Shadowsocks service. 3. Verify the update was successful.

🔧 Temporary Workarounds

Disable UDPRelay

linux

Disable UDP relay functionality if not required

Edit Shadowsocks config to remove or comment UDP relay settings
Restart Shadowsocks service

Use AEAD Cipher

linux

Switch from Stream Cipher to AEAD Cipher (like AES-256-GCM)

Edit config to use AEAD cipher method
Restart Shadowsocks service

🧯 If You Can't Patch

  • Implement network filtering to block UDP traffic to Shadowsocks port from untrusted sources
  • Use firewall rules to restrict access to Shadowsocks service to trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Check if running Shadowsocks-libev version 3.3.2 or earlier with UDPRelay enabled and Stream Cipher configured.

Check Version:

ss-server --version

Verify Fix Applied:

Verify Shadowsocks-libev version is 3.3.3 or later and service remains running after receiving UDP traffic.

📡 Detection & Monitoring

Log Indicators:

  • FATAL error messages in Shadowsocks logs
  • Service crash/restart events

Network Indicators:

  • Unexpected UDP traffic spikes to Shadowsocks port
  • Service unresponsive after UDP packets

SIEM Query:

source="shadowsocks.log" AND "FATAL" AND "UDPRelay"

📊 Metadata

CVE ID: CVE-2019-5163
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-306
Published: December 3, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-5163, you might also want to check these:

CVE-2019-11061 10.0

CVE-2019-11061 is a critical authentication bypass vulnerability in HG100 firmware that allows attac...

Same vulnerability type (CWE-306)
CVE-2025-32433 10.0

This CVE describes a critical vulnerability in Erlang/OTP's SSH server that allows unauthenticated r...

Same vulnerability type (CWE-306)
CVE-2026-23693 10.0

The ElementsKit Lite WordPress plugin versions before 3.7.9 expose an unauthenticated REST endpoint ...

Same vulnerability type (CWE-306)