CVE-2025-50505

Name of the Vulnerable Software and Affected Versions Clash Verge versions through 2.2.3

Description The software installs system services (clash-verge-service) by default and exposes functions through an unauthorized HTTP API. Specifically, the /start clash API endpoint allows local users to submit arbitrary bin path parameters. These parameters are directly passed to the service process for execution, potentially leading to local privilege escalation.

Recommendations Update to a version beyond 2.2.3.