QwikSec

Security Database

CVE

CWE

Training

CVE-2025-50505

Published: Oct 7, 2025

Modified: Mar 17, 2026

PUBLISHED

Description

Clash Verge Rev thru 2.2.3 (fixed in 2.3.0) forces the installation of system services(clash-verge-service) by default and exposes key functions through the unauthorized HTTP API `/start_clash`, allowing local users to submit arbitrary bin_path parameters and pass them directly to the service process for execution, resulting in local privilege escalation.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/clash-verge-rev/clash-verge-rev

https://github.com/clash-verge-rev/clash-verge-service

https://www.clashverge.dev/

https://github.com/bron1e/CVE-2025-50505

https://github.com/cisagov/vulnrichment/issues/206

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.