Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Local CLI admin access required (AV:L/PR:H); file overwrite without path control yields high integrity impact; critical file corruption causes availability loss; no confidentiality impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, the psd print sessions dump CLI command in coturn takes a filename argument and directly passes it to fopen with no path validation. An authenticated admin with CLI access can overwrite arbitrary files writable by the coturn process because the command string is used as-is after stripping the psd prefix and leading spaces, allowing truncation and overwrite with session dump data. This issue is fixed in version 4.13.0.
AnalysisAI
Arbitrary file overwrite in Coturn prior to 4.13.0 is possible through the CLI management interface's psd (print sessions dump) command, which passes a user-supplied filename directly to fopen() without any path validation (CWE-73). An authenticated admin with CLI access can overwrite any file writable by the coturn process, potentially corrupting sensitive system files, certificates, or configuration data to achieve privilege escalation or service disruption. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated administrator account with active access to the Coturn CLI management interface - this is enforced by the CVSS PR:H metric and the description's explicit 'authenticated admin with CLI access' qualifier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H scores 6.0 (Medium), accurately reflecting that this is a local-only, high-privilege attack with no remote exploitation path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Coturn CLI administrator - either a malicious insider or an attacker who has obtained admin credentials - connects to the management interface and issues a `psd /etc/cron.d/coturn-backdoor` command. The coturn process writes TURN session dump data to the specified cron path without validation, creating or overwriting the file with attacker-influenced content, which the cron daemon may subsequently execute as root. … |
| Remediation | Upgrade to Coturn 4.13.0, the vendor-released patched version available at https://github.com/coturn/coturn/releases/tag/4.13.0, which resolves the missing path validation in the `psd` CLI command. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
An exploitable heap out-of-bounds read vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. R
An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. Rated h
Coturn TURN/STUN server contains an access control bypass that allows remote attackers to reach blocked internal address
Stack buffer overflow in Coturn's OAuth token decoder (decode_oauth_token_gcm()) lets remote unauthenticated attackers c
Remote denial of service in Coturn TURN/STUN server allows unauthenticated attackers to crash ARM64 deployments with a s
In coturn before version 4.5.1.3, there is an issue whereby STUN/TURN response buffer is not initialized properly. Rated
Server-side request forgery in coturn TURN/STUN server before 4.13.0 lets an authenticated TURN client bypass the defaul
SQL injection in the Coturn TURN/STUN server's HTTPS admin panel (versions prior to 4.12.0) allows an authenticated admi
Stored XSS in Coturn's web-admin HTTPS interface (all versions prior to 4.11.0) allows a TURN-level attacker to inject p
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42970