CVE-2026-24902

Name of the Vulnerable Software and Affected Versions TrustTunnel versions prior to 0.9.114

Description TrustTunnel, an open-source VPN protocol, contains a server-side request forgery and private network restriction bypass. The issue stems from insufficient SSRF protection within the tcp forwarder.rs file. Specifically, the protection for preventing connections to private networks when allow private network connections = false was only applied to hostname-based destinations (TcpDestination::HostName(peer)). The numeric IP address-based destination path (TcpDestination::Address(peer) => peer) bypassed these checks, allowing connections to loopback and private network targets. This bypass occurs because the TcpStream::connect() function is called without equivalent checks like is global ip or is loopback.

Recommendations Update to TrustTunnel version 0.9.114 or later.