GHSA-7h24-c332-p48c

Suggest an improvement
Source
https://github.com/advisories/GHSA-7h24-c332-p48c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-7h24-c332-p48c/GHSA-7h24-c332-p48c.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-7h24-c332-p48c
Aliases
Published
2025-07-30T16:33:41Z
Modified
2025-07-31T11:18:29Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
vproxy Divide by Zero DoS Vulnerability
Details

Summary

Untrusted, user-controlled data from the HTTP Proxy-Authorization header can induce a denial of service state.

Details

Untrusted data is extracted from the user-controlled HTTP Proxy-Authorization header and passed to Extension::tryfrom and flows into parsettl_extension where it is parsed as a TTL value. If an attacker supplies a TTL of zero (e.g. by using a username such as 'configuredUser-ttl-0'), the modulo operation 'timestamp % ttl' will cause a division by zero panic, causing the server to crash causing a denial-of-service.

The code assumed to be responsible for this can be found here: https://github.com/0x676e67/vproxy/blob/ab304c3854bf8480be577039ada0228907ba0923/src/extension.rs#L173-L183

PoC

  1. Download and run the latest version of vproxy
  2. Send a cUrl request like the following, adjusting address and port as necessary: curl -x "http://test-ttl-0:test@127.0.0.1:8101" https://google.com
  3. Wait for a cUrl error indicating "Proxy CONNECT aborted"
  4. View logs from the vproxy server
  5. Observe that the vproxy server crashed due to a divide-by-zero panic

Impact

The resulting crash renders the proxy server unusable until it is reset.

Finally, one last note: I'm reporting this on behalf of another researcher at Black Duck. Credit for discovery should be attributed to David Bohannon (dbohannon)

Database specific 
{
    "github_reviewed": true,
    "severity": "HIGH",
    "github_reviewed_at": "2025-07-30T16:33:41Z",
    "cwe_ids": [
        "CWE-369"
    ],
    "nvd_published_at": "2025-07-30T20:15:37Z"
}
References

Affected packages

crates.io / vproxy

Package

Name
vproxy
View open source insights on deps.dev
Purl
pkg:cargo/vproxy

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.0

Database specific 

{
    "last_known_affected_version_range": "<= 2.3.3"
}