CVE-2025-54581: 
Rust vulnerability analysis and mitigation

CVE-2025-54581 affects vproxy, an HTTP/HTTPS/SOCKS5 proxy server, in versions 2.3.3 and below. The vulnerability was discovered and disclosed on July 30, 2025. The issue involves untrusted data extraction from the user-controlled HTTP Proxy-Authorization header that can lead to a denial-of-service condition (GitHub Advisory).

The vulnerability occurs when untrusted data is extracted from the HTTP Proxy-Authorization header and passed to Extension::try_from, which flows into parse_ttl_extension where it is parsed as a TTL value. The critical flaw lies in the modulo operation 'timestamp % ttl' where an attacker can supply a TTL of zero, causing a division by zero panic. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility with no required privileges or user interaction (GitHub Advisory, NVD).

When successfully exploited, the vulnerability causes the vproxy server to crash, resulting in a denial-of-service condition. The server becomes unusable until it is manually reset, affecting the availability of proxy services (GitHub Advisory).

The vulnerability has been fixed in version 2.4.0 of vproxy. The fix involves safeguarding TTL parsing with NonZeroU64 to prevent zero values from being processed. Users should upgrade to version 2.4.0 or later to mitigate this vulnerability (GitHub Release, GitHub Commit).