CVE-2025-34451 Overview
CVE-2025-34451 is a stack-based buffer overflow in rofl0r/proxychains-ng, a popular tool that redirects network connections through proxy servers. The flaw exists in the proxy_from_string() function within src/libproxychains.c. Versions up to and including 4.17, prior to commit cc005b7, fail to validate the length of username and password fields parsed from proxy configuration entries. Crafted entries with overly long credentials write beyond fixed-size stack buffers, causing memory corruption or process crashes. The vulnerability is categorized under [CWE-121] Stack-based Buffer Overflow and [CWE-787] Out-of-bounds Write.
Critical Impact
Local attackers controlling the proxychains configuration file can trigger denial of service and, depending on compiler mitigations and execution context, potentially escalate to code execution.
Affected Products
- rofl0r/proxychains-ng versions up to and including 4.17
- All builds prior to commit cc005b7
- Any application or script invoked through vulnerable proxychains-ng binaries
Discovery Timeline
- 2025-12-18 - CVE-2025-34451 published to NVD
- 2025-12-31 - Last updated in NVD database
Technical Details for CVE-2025-34451
Vulnerability Analysis
The proxy_from_string() function parses proxy entries of the form type://user:password@host:port from the proxychains configuration file. It extracts the username and password substrings, then copies them into fixed-size stack buffers (user_buf and pass_buf, each 256 bytes) using memcpy(). Before the patch, the length validation only applied when the proxy type was SOCKS5. For other proxy types such as HTTP and SOCKS4, no length check ran before the copy. A configuration entry with a username or password exceeding 255 bytes overwrites adjacent stack memory, including saved return addresses and frame pointers.
Root Cause
The root cause is a missing bounds check that was guarded by a proxy-type condition. The original code applied the ul > 255 || pl > 255 check only when proxytype == RS_PT_SOCKS5. Other proxy types bypassed validation entirely and proceeded directly to memcpy(user_buf, u, ul), where ul is attacker-controlled.
Attack Vector
Exploitation requires local access to influence the proxychains configuration file. This includes scenarios where the configuration path is writable by a lower-privileged user, where PROXYCHAINS_CONF_FILE is set in an environment a user can manipulate, or where a privileged process consumes a configuration file controlled by an unprivileged account. Successful exploitation corrupts stack memory and may bypass stack canaries depending on toolchain mitigations.
// Security patch in src/libproxychains.c - fixes the missing bounds check
// Source: https://github.com/httpsgithu/proxychains-ng/commit/cc005b7
ul = p-u;
p++;
pl = at-p;
- if(proxytype == RS_PT_SOCKS5 && (ul > 255 || pl > 255))
+ if(ul > 255 || pl > 255)
return 0;
memcpy(user_buf, u, ul);
user_buf[ul]=0;
The patch removes the proxytype == RS_PT_SOCKS5 condition so the length check applies to every proxy type. Oversized credential fields now cause the function to return 0 instead of overflowing the stack buffer.
Detection Methods for CVE-2025-34451
Indicators of Compromise
- Unexpected crashes or segmentation faults in processes launched through the proxychains4 wrapper.
- proxychains.conf files containing ProxyList entries with username or password fields exceeding 255 bytes.
- Core dumps showing corrupted stack frames inside proxy_from_string() or libproxychains4.so.
- Modifications to proxychains configuration files by non-administrative accounts.
Detection Strategies
- Scan filesystems for installed proxychains-ng packages at versions 4.17 or earlier and inventory the binaries.
- Audit proxychains.conf, ~/.proxychains/proxychains.conf, and /etc/proxychains.conf for malformed ProxyList entries containing abnormally long credential strings.
- Monitor execve telemetry for invocations of proxychains4 and correlate with subsequent process termination signals.
Monitoring Recommendations
- Alert on write events targeting proxychains configuration paths from unexpected user contexts.
- Track package manager events for installations of proxychains-ng versions prior to the fix.
- Forward Linux audit logs covering SIGSEGV signals on processes loading libproxychains4.so to a central data lake for correlation.
How to Mitigate CVE-2025-34451
Immediate Actions Required
- Update proxychains-ng to a build that includes commit cc005b7 or later.
- Restrict write permissions on proxychains.conf to the root user only.
- Audit all systems where unprivileged users can influence environment variables that point to alternative configuration files.
- Remove proxychains-ng from systems where it is not operationally required.
Patch Information
The fix is committed in cc005b7 of the upstream rofl0r/proxychains-ng repository. The patch removes the proxy-type-specific guard around the credential length check, ensuring all proxy types validate input lengths before copying. Rebuild and redeploy libproxychains4.so from source after applying the commit, or wait for downstream distribution package updates. See the proxychains-ng commit cc005b7 and VulnCheck advisory for technical details.
Workarounds
- Set strict file permissions: chmod 644 /etc/proxychains.conf and chown root:root /etc/proxychains.conf.
- Prevent unprivileged users from supplying alternate configuration files by sanitizing the PROXYCHAINS_CONF_FILE environment variable in privileged scripts.
- Validate any ProxyList entry username and password fields to ensure they remain under 255 bytes before deployment.
# Verify installed version and enforce safe configuration permissions
proxychains4 --version
sudo chown root:root /etc/proxychains.conf
sudo chmod 644 /etc/proxychains.conf
# Inspect configuration for oversized credential fields
awk '/^[a-z]+/ {for(i=1;i<=NF;i++) if(length($i)>255) print FILENAME":"NR}' /etc/proxychains.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
