0.20.12
Windows x64
Windows 11
Windows 上的 clash_for_windows 在 0.20.12 在订阅一个恶意链接时存在远程命令执行漏洞。因为对订阅文件中 rule-providers 的 path 的不安全处理导致 cfw-setting.yaml 会被覆盖,cfw-setting.yaml 中 parsers 的 js代码将会被执行。
A remote command execution vulnerability exists in clash_for_windows on Windows 0.20.12 when subscribing to an attacker’s link. cfw-setting.yaml can be overwritten due to unsafe processing of the path of rule-providers in the subscription file, and the js code of parsers in cfw-setting.yaml will be executed.
信息来源:https://github.com/Fndroid/clash_for_windows_pkg/issues/3891