Shadowsocks, although initially effective at bypassing censorship,
has inherent vulnerabilities that can be custom exploited, for
example using its own encryption methods (RC4 or AES-GCM) in
encryption unlike the OpenVPN protocol. These have not been
thoroughly tested by security experts, raising concerns about
potential weaknesses that attackers could exploit. Also,
Shadowsocks lacks features like Perfect Forward Secrecy (PFS).
Without PFS, even if the server's private key is compromised, past
encrypted sessions can still be decrypted if an attacker later
gains access to the key. This can expose sensitive information.
These limitations make Shadowsocks less secure than some
alternatives, especially as GFW detection methods are evolving.
CVE-2020-26147 (September 2020): A vulnerability was identified in
Shadowsocks-libev before version 3.3.5, affecting the
shadowsocks-manager module. This vulnerability allowed remote
attackers to execute arbitrary code or cause a denial-of-service
(DoS) condition by sending crafted requests to the management
server.
CVE-2019-15643 (October 2019): A vulnerability was discovered in
Shadowsocks-libev before version 3.3.2, affecting the s5 module.
This vulnerability allowed remote attackers to execute arbitrary
code or cause a denial-of-service (DoS) condition via a crafted
SOCKS5 request.
CVE-2019-15642 (October 2019): Another vulnerability was found in
Shadowsocks-libev before version 3.3.2, affecting the HTTP module.
This vulnerability allowed remote attackers to execute arbitrary
code or cause a denial-of-service (DoS) condition via a crafted
HTTP request.
CVE-2019-17356 (October 2019): A vulnerability was identified in
Shadowsocks-libev before version 3.3.2, affecting the
shadowsocks-manager module. This vulnerability allowed remote
attackers to execute arbitrary code or cause a denial-of-service
(DoS) condition by sending crafted requests to the management
server.
CVE-2018-20998 (December 2018): A vulnerability was discovered in
Shadowsocks-libev before version 3.3.2, affecting the
shadowsocks-manager module. This vulnerability allowed remote
attackers to execute arbitrary code or cause a denial-of-service
(DoS) condition via a crafted request to the management server.