vproxy is vulnerable to a divide by zero DoS attack

July 30, 2025 invoker category_cve

CVE Details

Basic Information

Title vproxy is vulnerable to a divide by zero DoS attack
Type cve
Published 2025-07-30T19:57:46.454Z
Modified 2025-07-30T20:23:36.826Z

Product Information

Vendor 0x676e67
Product vproxy
Version < 2.4.0

CVSS Information

Base Score 7.5 (HIGH)
Attack Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

  • 0x676e67 vproxy < 2.4.0

Additional Information

CWE List CWE-369
Source GitHub_M

Description

vproxy is an HTTP/HTTPS/SOCKS5 proxy server. In versions 2.3.3 and below, untrusted data is extracted from the user-controlled HTTP Proxy-Authorization header and passed to Extension::try_from and flows into parse_ttl_extension where it is parsed as a TTL value. If an attacker supplies a TTL of zero (e.g. by using a username such as ‘configuredUser-ttl-0’), the modulo operation ‘timestamp % ttl’ will cause a division by zero panic, causing the server to crash causing a denial-of-service. This is fixed in version 2.4.0.

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.