Critical VLESS Client Flaw: Bypassing Split Tunneling and IP Leaks
All popular mobile VLESS clients based on xray/sing-box run an unauthenticated local SOCKS5 proxy. This lets spyware bypass per-app split tunneling and private spaces (like Knox, Shelter, or Island) by directly scanning localhost ports and pulling the proxy's exit IP.
The standard traffic flow is:
VpnService -> tun2socks -> xray socks5 -> VPN server -> freedom
Spyware connects to SOCKS5 while skipping VpnService. Private spaces isolate VpnService but not the loopback interface, leaving the proxy exposed.
Regulators' playbooks list common ports: SOCKS (1080, 9000, 5555, 16000-16100), HTTP (80, 443, 3128). This technique has been used in the wild.
Tested Clients
Tested March 10, 2026; developers notified. As of April 7, 2026, no fixes:
- Happ: Critically vulnerable, dumps configs via unauthenticated xray API (HandlerService). Traffic decryption possible when combined with another xray flaw.
- v2RayTun: Vulnerable.
- V2BOX: Vulnerable.
- v2rayNG: Vulnerable.
- Hiddify: Vulnerable.
- Exclave: Vulnerable.
- Npv Tunnel: Vulnerable.
- Neko Box: Vulnerable.
Clash and sing-box in standard setups are also at risk. The fix requires SOCKS5 authentication, but UDP stays unprotected.
Happ Vulnerability Details
Happ enables unauthenticated xray API via HandlerService, exposing configs: keys, inbound IP, SNI. Reverse engineering found no justification—xray restarts on config changes anyway. Devs cited stats needs (LogService would suffice) but refused fixes. Updates blocked after App Store removal.
Recommendation: Server-side blocks via UserAgent Happ/*. One compromised Happ client can leak your entire server to censors.
Protection Steps
No client is fully secure. iOS woes worsened by app store removals.
- Split inbound and outbound IPs. Alternative: Wrap outbound traffic in CloudFlare WARP.
- Selective routing:
geoip:ru-> direct, everything else -> proxy. - Server-side block of
geoip:ruto dodge traffic pattern analysis from spy apps (Yandex, Wildberries, Ozon).
Windows example: v2rayN with "Everything except Russia" preset.
Key Takeaways
- The flaw lets spyware scan localhost, grab proxy IPs, and dodge VpnService plus private spaces.
- Happ also leaks configs via unsecured xray API, risking traffic decryption.
- No clients patched; fix needs SOCKS5 auth + dropping UDP.
- Protect with IP splitting, geoip routing, Happ/RU blocks on servers.
- Technique's been exploited before; regulators know about it.
— Editorial Team
No comments yet.