ExpressVPN Bug Leaking DNS Requests for Years

Abeerah Hashim  - Security Expert
Last updated: February 12, 2024
ExpressVPN bug leaking DNS requests
  • ExpressVPN found a bug in its software that leaked DNS requests for an extended period.
  • The bug affects Windows users with an active split tunneling feature, potentially exposing their browsing histories to ISPs and other third parties.
  • ExpressVPN recommends disabling the split tunneling feature or upgrading to the latest version to mitigate the issue.

After identifying a bug that revealed the domains users visited, the latest ExpressVPN software version does not include the split tunneling feature. It was embedded in Windows 12.23.1-12-72.0 between May 19, 2022, and February 7, 2024, and only affected split tunneling feature users.

Split tunneling helps to route some traffic outside the VPN tunnel, providing the flexibility of using both remote secure access and the local network simultaneously. 

This particular bug routed users’ DNS requests through their internet service providers (ISPs) instead of the ExpressVPN’s infrastructure, as they should.

Usually, ExpressVPN works by directing DNS requests through its logless DNS servers to stop ISPs and other third parties from monitoring the domains a user visits. However, the bug triggered some DNS queries to route through the DNS server setup on the computer, usually a server belonging to the user’s ISP, causing the servers to monitor the user’s browsing habits. 

A DNS request leak like this means that third parties can access Windows users with the active split tunneling feature, contradicting the commitment of VPN products. 

When using ExpressVPN, the users’ DNS requests should route through an ExpressVPN server, the vendor’s announcement explains. However, the bug directed some of the requests through a third-party server, which usually belongs to the user’s internet service provider (ISP).

As a result, the ISP can see the domains the user visits, like, but the ISP cannot still see searches, individual web pages, or other online behavior. ExpressVPN encrypts all content of the users’ online traffic, and ISPs or other third parties cannot view it.

A reporter identified and reported the issue, which only happens when the split tunneling feature is active. According to ExpressVPN, the issue only affected 1% of Windows users. The company could only reproduce the bug in the ‘Only allow selected apps to use the VPN’ split tunneling mode. ExpressVPN Windows users with versions 12.23.1 to 12.72.0 should update their software with version 12.73.0. 

This latest version lacks the split tunneling feature, but the company says it will re-introduce it after fixing the bug. If you cannot upgrade, you should deactivate the split tunneling feature to prevent the DNS request leaks, as the bug cannot be replicated in other modes. ExpressVPN recommends using version 10, which the bug doesn’t impact if you really want to use the split tunneling feature. 

Share this article

About the Author

Abeerah Hashim

Abeerah Hashim

Security Expert

Abeerah is a passionate technology blogger and cybersecurity enthusiast. She yearns to know everything about the latest technology developments. Specifically, she’s crazy about the three C’s; computing, cybersecurity, and communication. When she is not writing, she’s reading about the tech world.

More from Abeerah Hashim


No comments.