GHSA-jpv7-p47h-f43j
Vulnerability from github
Published
2025-06-23 21:24
Modified
2025-06-27 23:08
Severity ?
4.6 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
Summary
letmein connection limiter allows an arbitrary amount of simultaneous connections
Details

Impact

The connection limiter is implemented incorrectly. It allows an arbitrary amount of simultaneously incoming connections (TCP, UDP and Unix socket) for the services letmeind and letmeinfwd. Therefore, the command line option num-connections is not effective and does not limit the number of simultaneously incoming connections.

letmeind is the public network facing daemon (TCP/UDP).

letmeinfwd is the internal firewall daemon that only listens on local Unix socket.

Possible Denial Of Service by resource exhaustion.

Affected versions

All versions <= 10.2.0 are affected.

Patches

All users shall upgrade to version 10.2.1.

Workarounds

Untested possible workarounds: - It might be possible to limit the number of active connections to the letmeind port (default 5800) via firewall. - The resource consumption of the service might be restricted with a service manager such as systemd.

Severity:

If a (D)DoS is run against the service, something is going to be affected. The connection limiter assures that the effect on the system itself is limited at the expense of the effect on the letmein services itself. So even with the connection limiter active, a (D)DoS can lead to a less responsive or unresponsive letmein service.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.2.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "letmeind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.2.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "letmeinfwd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-52570"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-23T21:24:59Z",
    "nvd_published_at": "2025-06-24T04:15:50Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe connection limiter is implemented incorrectly.\nIt allows an arbitrary amount of simultaneously incoming connections (TCP, UDP and Unix socket) for the services `letmeind` and `letmeinfwd`.\nTherefore, the command line option `num-connections` is not effective and does not limit the number of simultaneously incoming connections.\n\n`letmeind` is the public network facing daemon (TCP/UDP).\n\n`letmeinfwd` is the internal firewall daemon that only listens on local Unix socket.\n\nPossible Denial Of Service by resource exhaustion.\n\n### Affected versions\nAll versions `\u003c= 10.2.0` are affected.\n\n### Patches\nAll users shall upgrade to version `10.2.1`.\n\n### Workarounds\n\nUntested possible workarounds:\n- It might be possible to limit the number of active connections to the `letmeind` port (default 5800) via firewall.\n- The resource consumption of the service might be restricted with a service manager such as systemd.\n\n### Severity:\n\nIf a (D)DoS is run against the service, *something* is going to be affected.\nThe connection limiter assures that the effect on the system itself is limited at the expense of the effect on the letmein services itself.\nSo even with the connection limiter active, a (D)DoS can lead to a less responsive or unresponsive letmein service.",
  "id": "GHSA-jpv7-p47h-f43j",
  "modified": "2025-06-27T23:08:47Z",
  "published": "2025-06-23T21:24:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mbuesch/letmein/security/advisories/GHSA-jpv7-p47h-f43j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52570"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mbuesch/letmein/commit/43207cd77580410d97165d1e3c07361ba6f3558c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mbuesch/letmein"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "letmein connection limiter allows an arbitrary amount of simultaneous connections"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.