Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Pre-auth remote overflow before the AES-GCM check gives AV:N/AC:L/PR:N/UI:N; impacts set High for the plausible RCE primitive, since the --oauth dependency is environmental rather than a base metric.
Primary rating from Vendor (GitHub_M).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
8DescriptionNVD
Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.10.0 contain a stack buffer overflow in decode_oauth_token_gcm(). A uint16_t nonce_len field read from an attacker-supplied OAuth access token (0-65535) is passed directly to memcpy() as the copy length into a 256-byte stack buffer (oauth_encrypted_block.nonce[256]) without bounds checking. The overflow occurs before AES-GCM authentication is verified, the attacker does not need to know the OAuth key or produce a valid AES-GCM token. Up to 735 bytes of attacker-controlled data are written past the buffer, may corrupt adjacent stack data, including control-flow data depending on compiler, ABI, and mitigations. Requires --oauth mode (non-default). This may provide a plausible RCE primitive depending on exploit mitigations; because coturn is widely deployed for WebRTC TURN/STUN and --oauth is commonly recommended, impact can be broad. This issue has been fixed in version 4.10.0.
AnalysisAI
Stack buffer overflow in Coturn's OAuth token decoder (decode_oauth_token_gcm()) lets remote unauthenticated attackers corrupt the server stack in all versions prior to 4.10.0. An attacker-controlled uint16_t nonce_len value (up to 65535) read from an OAuth access token is passed straight into memcpy() against a 256-byte stack buffer before any AES-GCM authentication, so no OAuth key or valid token is required to write up to 735 bytes past the buffer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The server MUST be running in --oauth mode (explicitly noted as non-default) for the vulnerable decode_oauth_token_gcm() path to be reachable - this is the single hard prerequisite and the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and should be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach an internet-facing Coturn server running in --oauth mode crafts a malformed OAuth access token whose embedded nonce_len field is set far above 256, then sends it during a TURN authentication exchange. Coturn copies the oversized nonce into a 256-byte stack buffer before verifying the AES-GCM tag, overflowing it by up to 735 bytes of attacker-controlled data and corrupting adjacent stack/control-flow data - yielding at minimum a remote crash (DoS) and potentially code execution depending on stack mitigations. … |
| Remediation | Vendor-released patch: 4.10.0 - upgrade Coturn to 4.10.0 or later, which contains the fix titled 'Fix stack buffer overflow in OAuth token decoding' (PR #1850) per the release notes (https://github.com/coturn/coturn/releases/tag/4.10.0); review advisory GHSA-74pg-rfh2-5qw5 for details. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Coturn deployments to identify instances running with the --oauth flag enabled. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
An exploitable heap out-of-bounds read vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. R
An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. Rated h
Coturn TURN/STUN server contains an access control bypass that allows remote attackers to reach blocked internal address
Remote denial of service in Coturn TURN/STUN server allows unauthenticated attackers to crash ARM64 deployments with a s
In coturn before version 4.5.1.3, there is an issue whereby STUN/TURN response buffer is not initialized properly. Rated
Server-side request forgery in coturn TURN/STUN server before 4.13.0 lets an authenticated TURN client bypass the defaul
SQL injection in the Coturn TURN/STUN server's HTTPS admin panel (versions prior to 4.12.0) allows an authenticated admi
Arbitrary file overwrite in Coturn prior to 4.13.0 is possible through the CLI management interface's `psd` (print sessi
Stored XSS in Coturn's web-admin HTTPS interface (all versions prior to 4.11.0) allows a TURN-level attacker to inject p
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Buffer Overflow
View allVendor StatusVendor
SUSE
Severity: CriticalShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37941