CVE-2025-54581 – vproxy

Package

Manager: cargo
Name: vproxy
Vulnerable Version: >=0 <2.4.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00054 pctl0.16816

Details

vproxy Divide by Zero DoS Vulnerability ### Summary Untrusted, user-controlled data from the HTTP Proxy-Authorization header can induce a denial of service state. ### Details Untrusted data is extracted from the user-controlled HTTP Proxy-Authorization header and passed to Extension::try_from and flows into parse_ttl_extension where it is parsed as a TTL value. If an attacker supplies a TTL of zero (e.g. by using a username such as 'configuredUser-ttl-0'), the modulo operation 'timestamp % ttl' will cause a division by zero panic, causing the server to crash causing a denial-of-service. The code assumed to be responsible for this can be found here: https://github.com/0x676e67/vproxy/blob/ab304c3854bf8480be577039ada0228907ba0923/src/extension.rs#L173-L183 ### PoC 1. Download and run the latest version of vproxy 2. Send a cUrl request like the following, adjusting address and port as necessary: ```curl -x "http://test-ttl-0:test@127.0.0.1:8101" https://google.com``` 3. Wait for a cUrl error indicating "Proxy CONNECT aborted" 4. View logs from the vproxy server 5. Observe that the vproxy server crashed due to a divide-by-zero panic ### Impact The resulting crash renders the proxy server unusable until it is reset. Finally, one last note: I'm reporting this on behalf of another researcher at Black Duck. Credit for discovery should be attributed to David Bohannon ([dbohannon](https://github.com/dbohannon))

Metadata

Created: 2025-07-30T16:33:41Z
Modified: 2025-07-31T11:18:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-7h24-c332-p48c/GHSA-7h24-c332-p48c.json
CWE IDs: ["CWE-369"]
Alternative ID: GHSA-7h24-c332-p48c
Finding: F020
Auto approve: 1