CVE-2017-15924

Name of the Vulnerable Software and Affected Versions shadowsocks-libev version 3.1.0

Description The issue is related to improper parsing in the ss-manager component of shadowsocks-libev, allowing command injection via shell metacharacters in a JSON configuration request received via UDP traffic on 127.0.0.1. This is associated with the add server, build config, and construct command line functions. The vulnerability can be exploited by sending a specially crafted JSON configuration file, potentially allowing an attacker to inject arbitrary commands or execute arbitrary code.

Recommendations For shadowsocks-libev version 3.1.0, as a temporary workaround, consider disabling the add server, build config, and construct command line functions until a patch is available. Restrict access to the ss-manager component to minimize the risk of exploitation. Avoid using UDP traffic on 127.0.0.1 for JSON configuration requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.