High severity7.8NVD Advisory· Published Oct 7, 2025· Updated Apr 15, 2026

CVE-2025-50505

Description

Clash Verge Rev thru 2.2.3 (fixed in 2.3.0) forces the installation of system services(clash-verge-service) by default and exposes key functions through the unauthorized HTTP API /start_clash, allowing local users to submit arbitrary bin_path parameters and pass them directly to the service process for execution, resulting in local privilege escalation.

Affected products

Clash Verge Rev/Clash Verge Servicereferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/cisagov/vulnrichment/issues/206nvd
www.clashverge.devnvd

News mentions

No linked articles in our index yet.

cvss	0.507
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000