CVE-2025-50505: n/a
Clash Verge Rev thru 2.2.3 (fixed in 2.3.0) forces the installation of system services(clash-verge-service) by default and exposes key functions through the unauthorized HTTP API `/start_clash`, allowing local users to submit arbitrary bin_path parameters and pass them directly to the service process for execution, resulting in local privilege escalation.
AI Analysis
Technical Summary
CVE-2025-50505 is a local privilege escalation vulnerability found in Clash Verge versions through 2.2.3. Clash Verge installs a system service named clash-verge-service by default, which exposes an HTTP API endpoint `/start_clash` without proper authorization controls. This endpoint accepts a parameter called bin_path, which specifies a binary executable path. Due to insufficient input validation and lack of authentication, local users can submit arbitrary bin_path values that the service will execute with elevated privileges. This flaw arises from CWE-250 (Execution with Unnecessary Privileges), allowing attackers to escalate from limited user accounts to higher privilege levels on the host system. The vulnerability has a CVSS 3.1 base score of 7.8, reflecting high impact on confidentiality, integrity, and availability. Exploitation requires local access but no user interaction or complex attack vectors. The issue was addressed in Clash Verge version 2.3.0 by removing or securing the exposed API and restricting execution parameters. No known public exploits have been reported yet, but the vulnerability poses a significant risk to any system running vulnerable versions, especially in environments where multiple users have local access.
Potential Impact
The vulnerability enables local attackers to execute arbitrary code with elevated privileges, potentially leading to full system compromise. This can result in unauthorized access to sensitive data, modification or deletion of critical files, installation of persistent malware, and disruption of system availability. In multi-user or shared environments, this flaw could allow a low-privileged user to gain administrative control, undermining system security and trust. Organizations relying on Clash Verge for network or security functions may face operational disruptions and increased risk of lateral movement by attackers. The lack of authentication on the API endpoint increases the attack surface for insider threats or compromised local accounts. Although no exploits are currently known in the wild, the vulnerability’s high severity and ease of exploitation make it a critical concern for affected users.
Mitigation Recommendations
1. Upgrade Clash Verge to version 2.3.0 or later, where the vulnerability is fixed. 2. If immediate upgrade is not possible, restrict local access to systems running vulnerable versions to trusted users only. 3. Use host-based firewalls or access control mechanisms to block or limit access to the clash-verge-service HTTP API endpoint locally. 4. Monitor system logs for unusual invocations of the `/start_clash` API or unexpected execution of binaries. 5. Employ application whitelisting to prevent unauthorized binaries from executing with elevated privileges. 6. Conduct regular audits of installed services and their exposed interfaces to detect unauthorized or insecure configurations. 7. Educate users about the risks of local privilege escalation and enforce the principle of least privilege to minimize potential damage from compromised accounts.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, France, Japan, South Korea, India, Brazil
CVE-2025-50505: n/a
Description
Clash Verge Rev thru 2.2.3 (fixed in 2.3.0) forces the installation of system services(clash-verge-service) by default and exposes key functions through the unauthorized HTTP API `/start_clash`, allowing local users to submit arbitrary bin_path parameters and pass them directly to the service process for execution, resulting in local privilege escalation.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-50505 is a local privilege escalation vulnerability found in Clash Verge versions through 2.2.3. Clash Verge installs a system service named clash-verge-service by default, which exposes an HTTP API endpoint `/start_clash` without proper authorization controls. This endpoint accepts a parameter called bin_path, which specifies a binary executable path. Due to insufficient input validation and lack of authentication, local users can submit arbitrary bin_path values that the service will execute with elevated privileges. This flaw arises from CWE-250 (Execution with Unnecessary Privileges), allowing attackers to escalate from limited user accounts to higher privilege levels on the host system. The vulnerability has a CVSS 3.1 base score of 7.8, reflecting high impact on confidentiality, integrity, and availability. Exploitation requires local access but no user interaction or complex attack vectors. The issue was addressed in Clash Verge version 2.3.0 by removing or securing the exposed API and restricting execution parameters. No known public exploits have been reported yet, but the vulnerability poses a significant risk to any system running vulnerable versions, especially in environments where multiple users have local access.
Potential Impact
The vulnerability enables local attackers to execute arbitrary code with elevated privileges, potentially leading to full system compromise. This can result in unauthorized access to sensitive data, modification or deletion of critical files, installation of persistent malware, and disruption of system availability. In multi-user or shared environments, this flaw could allow a low-privileged user to gain administrative control, undermining system security and trust. Organizations relying on Clash Verge for network or security functions may face operational disruptions and increased risk of lateral movement by attackers. The lack of authentication on the API endpoint increases the attack surface for insider threats or compromised local accounts. Although no exploits are currently known in the wild, the vulnerability’s high severity and ease of exploitation make it a critical concern for affected users.
Mitigation Recommendations
1. Upgrade Clash Verge to version 2.3.0 or later, where the vulnerability is fixed. 2. If immediate upgrade is not possible, restrict local access to systems running vulnerable versions to trusted users only. 3. Use host-based firewalls or access control mechanisms to block or limit access to the clash-verge-service HTTP API endpoint locally. 4. Monitor system logs for unusual invocations of the `/start_clash` API or unexpected execution of binaries. 5. Employ application whitelisting to prevent unauthorized binaries from executing with elevated privileges. 6. Conduct regular audits of installed services and their exposed interfaces to detect unauthorized or insecure configurations. 7. Educate users about the risks of local privilege escalation and enforce the principle of least privilege to minimize potential damage from compromised accounts.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2025-06-16T00:00:00.000Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 68e51d0ca677756fc9911211
Added to database: 10/7/2025, 2:00:44 PM
Last enriched: 3/17/2026, 6:21:05 PM
Last updated: 3/26/2026, 9:15:10 AM
Views: 254
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.