Bug 2423732 (CVE-2025-34451)

Summary: CVE-2025-34451 proxychains-ng: proxychains-ng: Denial of Service due to stack-based buffer overflow via crafted proxy configuration
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in proxychains-ng. An attacker can exploit a stack-based buffer overflow vulnerability in the proxy_from_string() function by providing crafted proxy configuration entries containing overly long username or password fields. This can lead to memory corruption or application crashes, resulting in a Denial of Service (DoS). Under specific conditions, this vulnerability could potentially be leveraged for further exploitation.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2423793, 2423794, 2423795, 2423796, 2423797    
Bug Blocks:    

Description OSIDB Bzimport 2025-12-18 22:02:11 UTC 
rofl0r/proxychains-ng versions up to and including 4.17 and prior to commit cc005b7 contain a stack-based buffer overflow vulnerability in the function proxy_from_string() located in src/libproxychains.c. When parsing crafted proxy configuration entries containing overly long username or password fields, the application may write beyond the bounds of fixed-size stack buffers, leading to memory corruption or crashes. This vulnerability may allow denial of service and, under certain conditions, could be leveraged for further exploitation depending on the execution environment and applied mitigations.