Missing Authentication for Critical Function
Sing-box is an open source proxy system. Versions prior to 1.4.5 and 1.5.x prior to 1.5.0-rc.5 are subject to an authentication bypass when specially crafted requests are sent to sing-box. This affects all SOCKS5 inbounds with user authentication and an attacker may be able to bypass authentication. Users unable to update should not expose the SOCKS5 inbound to insecure environments. NOTE: The vulnerability originally affects the module "github.com/sagernet/sing" versions prior to 0.2.12.
CWE-306 - Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.