Skip to content

[GHSA-225v-733h-9gwv] Clash Verge Rev thru 2.2.3 forces the installation of... #6579

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Dragon1573 wants to merge 1 commit into
base: Dragon1573/advisory-improvement-6579
Choose a base branch
from
Open

[GHSA-225v-733h-9gwv] Clash Verge Rev thru 2.2.3 forces the installation of... #6579

Dragon1573 wants to merge 1 commit into from
+27 −3

Conversation

@Dragon1573
Copy link

@Dragon1573 Dragon1573 commented Dec 25, 2025

Updates

  • Affected products
  • Description
  • Summary

Comments
The Clash Verge Rev Main GUI now communicates with its service and Mihomo Core process via Unix Socket (.sock file) or Windows Named Pipe (\\.\pipe\ URL) by default for security reason. This CVE/NVD/GHSA should be marked as fixed.

@github-actions github-actions bot changed the base branch from main to Dragon1573/advisory-improvement-6579 December 25, 2025 16:29
@yhidad31
Copy link

yhidad31 commented Dec 26, 2025

Hi @Dragon1573, thanks for the contribution. Unfortunately we can't accept this change because the rust package of the affected product, clash-verge-rev (which contains the affected code), is not in one of our supported ecosystems. If you can point to a package in a supported registry (for example https://crates.io/) we can reevaluate. Thank you for helping improve the database.

@Dragon1573
Copy link
Author

Dragon1573 commented Dec 27, 2025

... because the rust package of the affected product, clash-verge-rev (which contains the affected code), is not in one of our supported ecosystems.

Hi @yhidad31, 👋🏼

I'm one of the collaborators of repository clash-verge-rev/clash-verge-rev. By communicating with organization member(s), other collaborators externally (via Telegram), we confirmed that the reported GHSA / NVD / CVE ID has already been resolved and no more vulnerable in Clash Verge Rev v2.3.0 and later versions.

How can we claimed it as resolved? Can I just edit this pull request and remove this GHSA from the repository?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Dragon1573 @yhidad31