GHSA-jpv7-p47h-f43j

Source

https://github.com/advisories/GHSA-jpv7-p47h-f43j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-jpv7-p47h-f43j/GHSA-jpv7-p47h-f43j.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jpv7-p47h-f43j

Aliases

CVE-2025-52570

Published

2025-06-23T21:24:59Z

Modified

2025-06-23T21:44:47.975928Z

Severity

4.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

letmein connection limiter allows an arbitrary amount of simultaneous connections

Details

Impact

The connection limiter is implemented incorrectly. It allows an arbitrary amount of simultaneously incoming connections (TCP, UDP and Unix socket) for the services letmeind and letmeinfwd. Therefore, the command line option num-connections is not effective and does not limit the number of simultaneously incoming connections.

letmeind is the public network facing daemon (TCP/UDP).

letmeinfwd is the internal firewall daemon that only listens on local Unix socket.

Possible Denial Of Service by resource exhaustion.

Affected versions

All versions <= 10.2.0 are affected.

Patches

All users shall upgrade to version 10.2.1.

Workarounds

Untested possible workarounds: - It might be possible to limit the number of active connections to the letmeind port (default 5800) via firewall. - The resource consumption of the service might be restricted with a service manager such as systemd.

Severity:

If a (D)DoS is run against the service, something is going to be affected. The connection limiter assures that the effect on the system itself is limited at the expense of the effect on the letmein services itself. So even with the connection limiter active, a (D)DoS can lead to a less responsive or unresponsive letmein service.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-770"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-23T21:24:59Z"
}

References

Affected packages

crates.io / letmeind

Package

Name: letmeind; View open source insights on deps.dev
Purl: pkg:cargo/letmeind

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

10.2.1

Database specific

{
    "last_known_affected_version_range": "<= 10.2.0"
}

crates.io / letmeinfwd

Package

Name: letmeinfwd; View open source insights on deps.dev
Purl: pkg:cargo/letmeinfwd

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

10.2.1

Database specific

{
    "last_known_affected_version_range": "<= 10.2.0"
}