GHSA-JPV7-P47H-F43J

Vulnerability from github – Published: 2025-06-23 21:24 – Updated: 2025-06-27 23:08
VLAI?
Summary
letmein connection limiter allows an arbitrary amount of simultaneous connections
Details

Impact

The connection limiter is implemented incorrectly. It allows an arbitrary amount of simultaneously incoming connections (TCP, UDP and Unix socket) for the services letmeind and letmeinfwd. Therefore, the command line option num-connections is not effective and does not limit the number of simultaneously incoming connections.

letmeind is the public network facing daemon (TCP/UDP).

letmeinfwd is the internal firewall daemon that only listens on local Unix socket.

Possible Denial Of Service by resource exhaustion.

Affected versions

All versions <= 10.2.0 are affected.

Patches

All users shall upgrade to version 10.2.1.

Workarounds

Untested possible workarounds: - It might be possible to limit the number of active connections to the letmeind port (default 5800) via firewall. - The resource consumption of the service might be restricted with a service manager such as systemd.

Severity:

If a (D)DoS is run against the service, something is going to be affected. The connection limiter assures that the effect on the system itself is limited at the expense of the effect on the letmein services itself. So even with the connection limiter active, a (D)DoS can lead to a less responsive or unresponsive letmein service.

Severity ?
4.6 (Medium)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.2.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "letmeind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.2.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "letmeinfwd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-52570"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-23T21:24:59Z",
    "nvd_published_at": "2025-06-24T04:15:50Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe connection limiter is implemented incorrectly.\nIt allows an arbitrary amount of simultaneously incoming connections (TCP, UDP and Unix socket) for the services `letmeind` and `letmeinfwd`.\nTherefore, the command line option `num-connections` is not effective and does not limit the number of simultaneously incoming connections.\n\n`letmeind` is the public network facing daemon (TCP/UDP).\n\n`letmeinfwd` is the internal firewall daemon that only listens on local Unix socket.\n\nPossible Denial Of Service by resource exhaustion.\n\n### Affected versions\nAll versions `\u003c= 10.2.0` are affected.\n\n### Patches\nAll users shall upgrade to version `10.2.1`.\n\n### Workarounds\n\nUntested possible workarounds:\n- It might be possible to limit the number of active connections to the `letmeind` port (default 5800) via firewall.\n- The resource consumption of the service might be restricted with a service manager such as systemd.\n\n### Severity:\n\nIf a (D)DoS is run against the service, *something* is going to be affected.\nThe connection limiter assures that the effect on the system itself is limited at the expense of the effect on the letmein services itself.\nSo even with the connection limiter active, a (D)DoS can lead to a less responsive or unresponsive letmein service.",
  "id": "GHSA-jpv7-p47h-f43j",
  "modified": "2025-06-27T23:08:47Z",
  "published": "2025-06-23T21:24:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mbuesch/letmein/security/advisories/GHSA-jpv7-p47h-f43j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52570"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mbuesch/letmein/commit/43207cd77580410d97165d1e3c07361ba6f3558c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mbuesch/letmein"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "letmein connection limiter allows an arbitrary amount of simultaneous connections"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.