[ExpressVPN Router] Integer Buffer Overflow: Server Info Disclosure When Router's Nginx Server used as Reverse Proxy Server

Disclosed by
  • Program ExpressVPN
  • Disclosed date over 2 years ago
  • Points 10
  • Priority P3 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by ExpressVPN

A publicly known bug in the Nginx server used by the ExpressVPN Router version 1.x firmware was reported. ExpressVPN no longer ships or supports that version and all users are encouraged to upgrade to the latest version of the ExpressVPN Router firmware available on our site, which is not vulnerable to this bug. Additionally, we highly discourage our users from exposing their router control panel to the Internet, as this class of bug would only be exploitable with access to the control panel, which is usually restricted to the local network.
For help or support upgrading your router please visit: https://www.expressvpn.com/support/

Summary by ja1sh

ExpressVPN Router version 1 is vulnerable to integer overflow vulnerability in Nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.