CVE-2025-54581 Overview
CVE-2025-54581 is a division-by-zero denial-of-service vulnerability in vproxy, an HTTP/HTTPS/SOCKS5 proxy server written in Rust. Versions 2.3.3 and below extract untrusted data from the user-controlled HTTP Proxy-Authorization header and pass it through Extension::try_from into parse_ttl_extension, where it is interpreted as a Time-To-Live (TTL) value. An attacker who supplies a TTL of zero through a crafted username such as configuredUser-ttl-0 triggers the modulo operation timestamp % ttl, which panics in Rust and crashes the server process. The issue is fixed in version 2.4.0.
Critical Impact
Unauthenticated remote attackers can crash the vproxy server with a single HTTP request, producing a sustained denial-of-service condition until the process is restarted.
Affected Products
- vproxy versions 2.3.3 and below
- vproxy HTTP proxy listener
- vproxy HTTPS and SOCKS5 listeners using the shared extension parser
Discovery Timeline
- 2025-07-30 - CVE-2025-54581 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-54581
Vulnerability Analysis
The vulnerability is classified as a divide-by-zero error [CWE-369]. vproxy supports per-connection extension parameters supplied through the proxy username field of the HTTP Proxy-Authorization header. The server parses suffixes such as -ttl-<value> and uses the parsed integer as a divisor when computing session bucketing through timestamp % ttl.
In Rust, integer division or modulo by zero on primitive unsigned types produces a runtime panic. Because the parsing path accepts 0 as a legal u64 value, a request that sets the TTL to zero causes the worker task to panic. Depending on the runtime configuration, the panic terminates the server process, interrupting all in-flight proxy sessions.
Root Cause
The root cause is missing validation on the parsed TTL value before it is used in arithmetic. The pre-patch implementation stored the TTL as a u64, allowing zero. The fix in commit aa1bf64 changes the storage type to NonZeroU64, which rejects zero at parse time and prevents the panic from being reachable.
Attack Vector
Exploitation requires only network access to the proxy listener. The attacker sends an HTTP request containing a crafted Proxy-Authorization header where the username embeds the -ttl-0 suffix. No credentials beyond what the proxy already accepts for authorization parsing are required, and no user interaction is involved.
// Patch excerpt from src/extension.rs (commit aa1bf64)
-use std::time::{SystemTime, UNIX_EPOCH};
+use std::{
+ num::NonZeroU64,
+ time::{SystemTime, UNIX_EPOCH},
+};
/// Enum representing different types of extensions.
#[allow(clippy::upper_case_acronyms)]
Source: GitHub Commit aa1bf64
The fix replaces the raw u64 TTL with NonZeroU64, ensuring zero values are rejected during parsing rather than reaching the modulo operation.
Detection Methods for CVE-2025-54581
Indicators of Compromise
- HTTP requests containing a Proxy-Authorization header whose decoded username matches the pattern *-ttl-0 or other zero-valued TTL suffixes.
- Unexpected vproxy process exits accompanied by Rust panic messages referencing attempt to calculate the remainder with a divisor of zero.
- Repeated proxy service restarts correlated with inbound requests from a small set of source addresses.
Detection Strategies
- Inspect proxy access logs for Base64-decoded Proxy-Authorization usernames containing -ttl- followed by 0.
- Alert on vproxy crash loops by monitoring service supervisor restart counters and stderr output for Rust panic stack traces.
- Deploy a network IDS rule that flags HTTP requests carrying the literal substring ttl-0 inside Proxy-Authorization values.
Monitoring Recommendations
- Forward vproxy stdout and stderr to a centralized log pipeline and create identifications on panicked at strings.
- Track proxy availability metrics and alert on unplanned process termination events.
- Correlate source IPs of malformed Proxy-Authorization requests across edge gateways to identify scanning activity.
How to Mitigate CVE-2025-54581
Immediate Actions Required
- Upgrade vproxy to version 2.4.0 or later, which enforces NonZeroU64 parsing for TTL values.
- Restrict network exposure of the proxy listener to trusted clients while patching is rolled out.
- Place vproxy behind a reverse proxy or WAF that strips or rejects Proxy-Authorization headers containing -ttl-0.
Patch Information
The fix is published in vproxy Release v2.4.0 and tracked in GitHub Security Advisory GHSA-7h24-c332-p48c. The underlying code change is available in commit aa1bf64, which converts the TTL field to NonZeroU64 and adds regression tests.
Workarounds
- Block requests where the decoded Proxy-Authorization username contains -ttl-0 at an upstream HTTP proxy or WAF.
- Run vproxy under a process supervisor such as systemd with Restart=always to reduce downtime if a panic occurs before the patch is applied.
- Limit proxy access to authenticated source networks via firewall rules until upgrade to 2.4.0 is complete.
# Example systemd hardening to auto-restart vproxy on panic
[Service]
ExecStart=/usr/local/bin/vproxy run --config /etc/vproxy/config.toml
Restart=always
RestartSec=2s
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
