Is proxmox affected by CVE-2025-11234
- Thread starter skltw
- Start date
Hi,
Proxmox VE uses Unix sockets for VNC rather than websockets directly with QEMU: https://git.proxmox.com/?p=qemu-ser...48eb530ec1bb2e15ee839c4b64281fe;hb=HEAD#l3371
This means that the affected code for QIOChannelWebsock is not used.
The web socket used by the Proxmox VE UI is created and exposed by proxy/forwarding:
https://git.proxmox.com/?p=qemu-ser...006821c43af5f53a757b62f0fe66e2e6;hb=HEAD#l340
https://git.proxmox.com/?p=qemu-ser...e7b08dfb45110b9bb9ef279fe44075a;hb=HEAD#l3144
So no, Proxmox VE is not affected by that issue, unless you use custom args (which is limited to root@pam) and define your own VNC websocket via the QEMU commandline directly.
Proxmox VE uses Unix sockets for VNC rather than websockets directly with QEMU: https://git.proxmox.com/?p=qemu-ser...48eb530ec1bb2e15ee839c4b64281fe;hb=HEAD#l3371
This means that the affected code for QIOChannelWebsock is not used.
The web socket used by the Proxmox VE UI is created and exposed by proxy/forwarding:
https://git.proxmox.com/?p=qemu-ser...006821c43af5f53a757b62f0fe66e2e6;hb=HEAD#l340
https://git.proxmox.com/?p=qemu-ser...e7b08dfb45110b9bb9ef279fe44075a;hb=HEAD#l3144
So no, Proxmox VE is not affected by that issue, unless you use custom args (which is limited to root@pam) and define your own VNC websocket via the QEMU commandline directly.