PT-2025-31441 · Vproxy · Vproxy
David Bohannon
+1
·
Published
2025-07-30
·
Updated
2025-07-31
·
CVE-2025-54581
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
vproxy versions 2.3.3 and below
Description
vproxy is an HTTP/HTTPS/SOCKS5 proxy server. Untrusted data from the user-controlled HTTP Proxy-Authorization header is passed to
Extension::try from and then to parse ttl extension where it is parsed as a TTL value. Supplying a TTL value of zero via the username in the Proxy-Authorization header (e.g., 'configuredUser-ttl-0') causes a division by zero panic in the timestamp % ttl modulo operation, leading to a denial-of-service condition and server crash.Recommendations
Upgrade to vproxy version 2.4.0 or later.
Exploit
Fix
DoS
Divide By Zero
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vproxy