CVE-2025-50505

Published
View on NVD ↗
CVSS v3
7.8
HIGH
CVSS v2
N/A
Affected
3
PROJECTS

Description

Clash Verge Rev thru 2.2.3 (fixed in 2.3.0) forces the installation of system services(clash-verge-service) by default and exposes key functions through the unauthorized HTTP API `/start_clash`, allowing local users to submit arbitrary bin_path parameters and pass them directly to the service process for execution, resulting in local privilege escalation.

a0yami/CVE-2025-50505
a0yami/CVE-2025-50505
GitHubGitHub
17
clash-verge-rev/clash-verge-rev
clash-verge-rev/clash-verge-rev
A modern GUI client based on Tauri, designed to run in Windows, macOS and Linux for tailored proxy experience
GitHubGitHub
128K
clash-verge-rev/clash-verge-service
clash-verge-rev/clash-verge-service
GitHubGitHub
14