Clash Verge Service Ipc
Monthly
Local privilege escalation in clash-verge-service-ipc before 2.3.0 allows unprivileged local users on macOS and Linux to interact with a world-reachable IPC socket exposed by the privileged Clash Verge service, enabling them to invoke service operations that run with elevated rights. The upstream fix (PR #23) restricts IPC permissions to 0750 on the directory and 0660 on the socket, and the patched dependency was incorporated into the Clash Verge Rev desktop client. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.
Local privilege escalation in clash-verge-service-ipc before 2.3.0 allows unprivileged local users on macOS and Linux to interact with a world-reachable IPC socket exposed by the privileged Clash Verge service, enabling them to invoke service operations that run with elevated rights. The upstream fix (PR #23) restricts IPC permissions to 0750 on the directory and 0660 on the socket, and the patched dependency was incorporated into the Clash Verge Rev desktop client. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.