High severity7.8NVD Advisory· Published Oct 7, 2025· Updated Apr 15, 2026
CVE-2025-50505
CVE-2025-50505
Description
Clash Verge Rev thru 2.2.3 (fixed in 2.3.0) forces the installation of system services(clash-verge-service) by default and exposes key functions through the unauthorized HTTP API /start_clash, allowing local users to submit arbitrary bin_path parameters and pass them directly to the service process for execution, resulting in local privilege escalation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=2.2.3
- Range: <=2.2.3
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.