CVE-2025-50505
📋 TL;DR
This vulnerability allows local users to execute arbitrary commands with elevated privileges by exploiting an unauthorized HTTP API endpoint in Clash Verge Rev. Attackers can submit malicious bin_path parameters that get passed directly to the system service for execution. Users running Clash Verge Rev versions through 2.2.3 are affected.
💻 Affected Systems
- Clash Verge Rev
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full root/system privileges, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement.
Likely Case
Local user or malware with basic access escalates privileges to install additional payloads, modify system configurations, or access protected resources.
If Mitigated
Attack fails due to proper access controls, service isolation, or network segmentation limiting local attack surface.
🎯 Exploit Status
Exploit requires local access but is straightforward once access is obtained. Public proof-of-concept available on GitHub.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.0
Vendor Advisory: https://github.com/clash-verge-rev/clash-verge-rev
Restart Required: Yes
Instructions:
1. Update Clash Verge Rev to version 2.3.0 or later. 2. Restart the application and clash-verge-service. 3. Verify the service is no longer vulnerable.
🔧 Temporary Workarounds
Disable clash-verge-service
linuxStop and disable the vulnerable system service to prevent exploitation.
sudo systemctl stop clash-verge-service
sudo systemctl disable clash-verge-service
Block local HTTP API access
linuxUse firewall rules to block access to the unauthorized HTTP API endpoint.
sudo iptables -A INPUT -p tcp --dport [API_PORT] -j DROP
🧯 If You Can't Patch
- Remove Clash Verge Rev from affected systems entirely.
- Implement strict local access controls and monitor for suspicious service activity.
🔍 How to Verify
Check if Vulnerable:
Check if Clash Verge Rev version is 2.2.3 or earlier and clash-verge-service is running with HTTP API accessible locally.Check Version:
clash-verge-rev --versionVerify Fix Applied:
Confirm version is 2.3.0 or later and test that the /start_clash endpoint no longer accepts arbitrary bin_path parameters.📡 Detection & Monitoring
Log Indicators:
- Unusual process execution from clash-verge-service
- HTTP requests to /start_clash endpoint with suspicious parameters
Network Indicators:
- Local HTTP traffic to clash-verge-service API port with bin_path parameter
SIEM Query:
process_name="clash-verge-service" AND command_line CONTAINS "bin_path"