Critical severityNVD Advisory· Published Sep 25, 2023· Updated Sep 24, 2024

Improper authentication in the SOCKS5 inbound in sing-box

CVE-2023-43644

Description

Sing-box is an open source proxy system. Affected versions are subject to an authentication bypass when specially crafted requests are sent to sing-box. This affects all SOCKS5 inbounds with user authentication and an attacker may be able to bypass authentication. Users are advised to update to sing-box 1.4.4 or to 1.5.0-rc.4. Users unable to update should not expose the SOCKS5 inbound to insecure environments.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/sagernet/sing-boxGo	< 1.4.5	1.4.5
github.com/sagernet/sing-boxGo	>= 1.5.0-beta.1, < 1.5.0-rc.5	1.5.0-rc.5
github.com/sagernet/singGo	< 0.2.12-0.20230925092853-5b05b5c147d9	0.2.12-0.20230925092853-5b05b5c147d9

Affected products

Sagernet/Sing Boxv5
Range: < 1.4.5

Patches

9891fd672f5d

Reject SOCKS4 unauthenticated request

https://github.com/SagerNet/sing-box世界Sep 25, 2023via ghsa

commit

4 files changed · +7 −9

go.mod+1 −1 modified

@@ -27,7 +27,7 @@ require (
 	github.com/sagernet/gvisor v0.0.0-20230627031050-1ab0276e0dd2
 	github.com/sagernet/quic-go v0.0.0-20230919101909-0cc6c5dcecee
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.2.12-0.20230925092853-5b05b5c147d9
+	github.com/sagernet/sing v0.2.12-0.20230925124400-0531fd63eaba
 	github.com/sagernet/sing-dns v0.1.10-0.20230921024525-fc3e4c051ccd
 	github.com/sagernet/sing-mux v0.1.3
 	github.com/sagernet/sing-quic v0.1.1-0.20230922040527-541e66a4a16d

go.sum+2 −2 modified

@@ -114,8 +114,8 @@ github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byL
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
 github.com/sagernet/sing v0.1.8/go.mod h1:jt1w2u7lJQFFSGLiRrRIs5YWmx4kAPfWuOejuDW9qMk=
-github.com/sagernet/sing v0.2.12-0.20230925092853-5b05b5c147d9 h1:63rn0NKTjb5fjuODYUNMkwwvDtsQlBdipr7GAzBLzd4=
-github.com/sagernet/sing v0.2.12-0.20230925092853-5b05b5c147d9/go.mod h1:GQ673iPfUnkbK/dIPkfd1Xh1MjOGo36gkl/mkiHY7Jg=
+github.com/sagernet/sing v0.2.12-0.20230925124400-0531fd63eaba h1:RTf3zQGQdlmCNNR92cJDJAnLgbPhsM2sLAQ+aMIuVTQ=
+github.com/sagernet/sing v0.2.12-0.20230925124400-0531fd63eaba/go.mod h1:GQ673iPfUnkbK/dIPkfd1Xh1MjOGo36gkl/mkiHY7Jg=
 github.com/sagernet/sing-dns v0.1.10-0.20230921024525-fc3e4c051ccd h1:czixTtZijtdR4bMQYT/0LZy1x5ouiaDBi742YE0zudU=
 github.com/sagernet/sing-dns v0.1.10-0.20230921024525-fc3e4c051ccd/go.mod h1:y76ieq1uilVg6fe5wJWqM2oKjdrn4q0lY1nwAZ86ok0=
 github.com/sagernet/sing-mux v0.1.3 h1:fAf7PZa2A55mCeh0KKM02f1k2Y4vEmxuZZ/51ahkkLA=

test/go.mod+1 −1 modified

@@ -12,7 +12,7 @@ require (
 	github.com/docker/docker v24.0.6+incompatible
 	github.com/docker/go-connections v0.4.0
 	github.com/gofrs/uuid/v5 v5.0.0
-	github.com/sagernet/sing v0.2.12-0.20230925092853-5b05b5c147d9
+	github.com/sagernet/sing v0.2.12-0.20230925124400-0531fd63eaba
 	github.com/sagernet/sing-quic v0.1.1-0.20230922040527-541e66a4a16d
 	github.com/sagernet/sing-shadowsocks v0.2.5
 	github.com/sagernet/sing-shadowsocks2 v0.1.4

test/go.sum+3 −5 modified

@@ -129,9 +129,8 @@ github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byL
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
 github.com/sagernet/sing v0.1.8/go.mod h1:jt1w2u7lJQFFSGLiRrRIs5YWmx4kAPfWuOejuDW9qMk=
-github.com/sagernet/sing v0.2.12-0.20230921162020-494f88c9b8bf h1:O8jjYmCExZbsgmqZEHyn05C/7ZzD0SLTG21QNcYoP2Q=
-github.com/sagernet/sing v0.2.12-0.20230921162020-494f88c9b8bf/go.mod h1:GQ673iPfUnkbK/dIPkfd1Xh1MjOGo36gkl/mkiHY7Jg=
-github.com/sagernet/sing v0.2.12-0.20230925092853-5b05b5c147d9/go.mod h1:GQ673iPfUnkbK/dIPkfd1Xh1MjOGo36gkl/mkiHY7Jg=
+github.com/sagernet/sing v0.2.12-0.20230925124400-0531fd63eaba h1:RTf3zQGQdlmCNNR92cJDJAnLgbPhsM2sLAQ+aMIuVTQ=
+github.com/sagernet/sing v0.2.12-0.20230925124400-0531fd63eaba/go.mod h1:GQ673iPfUnkbK/dIPkfd1Xh1MjOGo36gkl/mkiHY7Jg=
 github.com/sagernet/sing-dns v0.1.10-0.20230921024525-fc3e4c051ccd h1:czixTtZijtdR4bMQYT/0LZy1x5ouiaDBi742YE0zudU=
 github.com/sagernet/sing-dns v0.1.10-0.20230921024525-fc3e4c051ccd/go.mod h1:y76ieq1uilVg6fe5wJWqM2oKjdrn4q0lY1nwAZ86ok0=
 github.com/sagernet/sing-mux v0.1.3 h1:fAf7PZa2A55mCeh0KKM02f1k2Y4vEmxuZZ/51ahkkLA=
@@ -142,8 +141,7 @@ github.com/sagernet/sing-shadowsocks2 v0.1.4 h1:vht2M8t3m5DTgXR2j24KbYOygG5aOp+M
 github.com/sagernet/sing-shadowsocks2 v0.1.4/go.mod h1:Mgdee99NxxNd5Zld3ixIs18yVs4x2dI2VTDDE1N14Wc=
 github.com/sagernet/sing-shadowtls v0.1.4 h1:aTgBSJEgnumzFenPvc+kbD9/W0PywzWevnVpEx6Tw3k=
 github.com/sagernet/sing-shadowtls v0.1.4/go.mod h1:F8NBgsY5YN2beQavdgdm1DPlhaKQlaL6lpDdcBglGK4=
-github.com/sagernet/sing-tun v0.1.13-0.20230922035004-b6d323004edd h1:R7DOvvQfYMmsdIr43wCQGHregky4/FGcvOEcIuxEt5w=
-github.com/sagernet/sing-tun v0.1.13-0.20230922035004-b6d323004edd/go.mod h1:7IGpNWXuP0TnxkUiGJRJjewFLquTOhLw1RtfNgxzjJI=
+github.com/sagernet/sing-tun v0.1.13-0.20230925091515-8adce0ea02a9 h1:tWzCogCxcFUAroWVS1msS00AqHtQ2Y5vYThcXKQpLJw=
 github.com/sagernet/sing-tun v0.1.13-0.20230925091515-8adce0ea02a9/go.mod h1:7IGpNWXuP0TnxkUiGJRJjewFLquTOhLw1RtfNgxzjJI=
 github.com/sagernet/sing-vmess v0.1.8 h1:XVWad1RpTy9b5tPxdm5MCU8cGfrTGdR8qCq6HV2aCNc=
 github.com/sagernet/sing-vmess v0.1.8/go.mod h1:vhx32UNzTDUkNwOyIjcZQohre1CaytquC5mPplId8uA=

5b05b5c147d9

Fix socks5 handshake

https://github.com/SagerNet/sing世界Sep 25, 2023via ghsa

commit

1 file changed · +3 −0

protocol/socks/handshake.go+3 −0 modified

@@ -171,6 +171,9 @@ func HandleConnection0(ctx context.Context, conn net.Conn, version byte, authent
 			if err != nil {
 				return err
 			}
+			if response.Status != socks5.UsernamePasswordStatusSuccess {
+				return E.New("socks5: authentication failed, username=", usernamePasswordAuthRequest.Username, ", password=", usernamePasswordAuthRequest.Password)
+			}
 		}
 		request, err := socks5.ReadRequest(conn)
 		if err != nil {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-r5hm-mp3j-285gghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-43644ghsaADVISORY
github.com/SagerNet/sing-box/commit/9891fd672f5da9f20f59a1693271a946727f49e2ghsaWEB
github.com/SagerNet/sing-box/releases/tag/v1.4.5ghsaWEB
github.com/SagerNet/sing-box/security/advisories/GHSA-r5hm-mp3j-285gghsax_refsource_CONFIRMWEB
github.com/SagerNet/sing/commit/5b05b5c147d9650e8accb4441e216c72a61f4859ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000