PT-2026-53972 · Coturn · Coturn
Published
2026-06-30
·
Updated
2026-07-10
·
CVE-2026-53450
CVSS v3.1
7.4
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
coturn versions prior to 4.13.0
Description
An authenticated TURN client can bypass the default loopback guard by using the IPv4-mapped IPv6 peer address
::ffff:127.0.0.1 within a TURN XOR-PEER-ADDRESS attribute. This occurs because the ioa addr is loopback function checks for the literal IPv6 loopback shape before handling IPv4-mapped IPv6 addresses, causing the good peer addr function to fail in applying the default loopback rejection. Consequently, an attacker can expose services bound only to localhost on the host through TURN relay traffic.Recommendations
Update to version 4.13.0 or later.
Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Coturn