CVE-2024-25728: 
NixOS vulnerability analysis and mitigation

ExpressVPN versions 12.23.1 to 12.72.0 on Windows contained a security vulnerability (CVE-2024-25728) that affected the split tunneling feature. When split tunneling was enabled, DNS requests were incorrectly sent according to Windows configuration instead of being routed through ExpressVPN's secure DNS servers, potentially exposing users' browsing history to their Internet Service Providers (ISPs) (Bleeping Computer, ExpressVPN Blog).

The vulnerability specifically manifested when using the "Only allow selected apps to use the VPN" split tunneling mode. Instead of routing DNS requests through ExpressVPN's logless DNS servers as intended, the requests were sent to the DNS server configured on the user's computer, typically operated by their ISP. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability potentially exposed the domains visited by affected users to their ISPs, compromising their browsing privacy. While the content of web traffic remained encrypted and unviewable by third parties, domain names (such as google.com) could be visible to ISPs. ExpressVPN estimates that less than 1% of their Windows users were impacted by this issue (ExpressVPN Blog).

ExpressVPN has addressed the vulnerability by releasing version 12.73.0, which temporarily removes the split tunneling feature. Users are advised to upgrade to the latest version immediately. For those who cannot upgrade, disabling split tunneling prevents the DNS request leaks. The company plans to reintroduce split tunneling in a future release once the issue is fully resolved (ExpressVPN Blog).