CVE-2025-43711

Name of the Vulnerable Software and Affected Versions: Tunnelblick versions 3.5beta06 through 6.x Tunnelblick version 7.0 and earlier

Description: The issue is related to the HTTP Request2 library used for processing HTTP requests in the Tunnelblick VPN client. It involves information disclosure through the tests/ network/getparameters.php and tests/ network/postparameters.php test directory. Exploitation of this issue can allow a remote attacker to conduct a cross-site scripting (XSS) attack and potentially elevate privileges to the root level.

Recommendations: For Tunnelblick versions 3.5beta06 through 6.x, completely uninstall the previous version before installing a newer version to prevent potential exploitation. For Tunnelblick version 7.0 and earlier, ensure that any incomplete uninstallation does not leave behind exploitable components, and consider upgrading to a version where this issue is resolved. As a temporary workaround, consider restricting access to the tests/ network directory to minimize the risk of exploitation.