Sing-box is an open source proxy system. Affected versions are subject to an authentication bypass when specially crafted requests are sent to sing-box. This affects all SOCKS5 inbounds with user authentication and an attacker may be able to bypass authentication. Users are advised to update to sing-box 1.4.4 or to 1.5.0-rc.4. Users unable to update should not expose the SOCKS5 inbound to insecure environments.
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Sing-box | Sagernet | * | 1.4.5 (excluding) |
Sing-box | Sagernet | 1.5.0-beta1 (including) | 1.5.0-beta1 (including) |
Sing-box | Sagernet | 1.5.0-beta10 (including) | 1.5.0-beta10 (including) |
Sing-box | Sagernet | 1.5.0-beta11 (including) | 1.5.0-beta11 (including) |
Sing-box | Sagernet | 1.5.0-beta12 (including) | 1.5.0-beta12 (including) |
Sing-box | Sagernet | 1.5.0-beta2 (including) | 1.5.0-beta2 (including) |
Sing-box | Sagernet | 1.5.0-beta3 (including) | 1.5.0-beta3 (including) |
Sing-box | Sagernet | 1.5.0-beta4 (including) | 1.5.0-beta4 (including) |
Sing-box | Sagernet | 1.5.0-beta5 (including) | 1.5.0-beta5 (including) |
Sing-box | Sagernet | 1.5.0-beta6 (including) | 1.5.0-beta6 (including) |
Sing-box | Sagernet | 1.5.0-beta7 (including) | 1.5.0-beta7 (including) |
Sing-box | Sagernet | 1.5.0-beta8 (including) | 1.5.0-beta8 (including) |
Sing-box | Sagernet | 1.5.0-beta9 (including) | 1.5.0-beta9 (including) |
Sing-box | Sagernet | 1.5.0-rc1 (including) | 1.5.0-rc1 (including) |
Sing-box | Sagernet | 1.5.0-rc2 (including) | 1.5.0-rc2 (including) |
Sing-box | Sagernet | 1.5.0-rc3 (including) | 1.5.0-rc3 (including) |
As data is migrated to the cloud, if access does not require authentication, it can be easier for attackers to access the data from anywhere on the Internet.