Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Network-reachable relay abuse with low complexity but requiring valid TURN credentials (PR:L); scope changes as traffic reaches services beyond the TURN authorization boundary, with low impact bounded by what localhost exposes.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, coturn rejects loopback peers by default unless allow-loopback-peers is enabled, but the default loopback guard can be bypassed by using the IPv4-mapped IPv6 peer address ::ffff:127.0.0.1 in a TURN XOR-PEER-ADDRESS attribute. ioa_addr_is_loopback checks for the literal IPv6 loopback shape before IPv4-mapped IPv6 handling, so good_peer_addr does not apply the default loopback rejection and an authenticated TURN client can expose services bound only to localhost on the coturn host through TURN relay traffic. This issue is fixed in version 4.13.0.
AnalysisAI
Server-side request forgery in coturn TURN/STUN server before 4.13.0 lets an authenticated TURN client bypass the default loopback-peer guard by supplying the IPv4-mapped IPv6 address ::ffff:127.0.0.1 in the XOR-PEER-ADDRESS attribute, relaying traffic to services bound only to the coturn host's localhost. The loopback check evaluates the literal IPv6 loopback shape before IPv4-mapped IPv6 normalization, so good_peer_addr never applies the rejection even when allow-loopback-peers is disabled. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated TURN client (valid coturn credentials, matching CVSS PR:L) that can send a TURN allocation/relay request with a crafted XOR-PEER-ADDRESS of the IPv4-mapped IPv6 form ::ffff:127.0.0.1. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are moderate and internally consistent rather than alarming. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds valid TURN credentials (for example, a legitimate user of a shared WebRTC/TURN service) creates a TURN allocation and issues a relay request with XOR-PEER-ADDRESS set to ::ffff:127.0.0.1 plus the target port, causing coturn to forward the attacker's traffic to a service listening only on the host's loopback interface. This lets the attacker reach otherwise-unreachable localhost services - such as an internal admin panel, metrics/debug endpoint, or metadata proxy - for information disclosure or limited manipulation. … |
| Remediation | Vendor-released patch: upgrade coturn to version 4.13.0 or later, which corrects the ordering so ioa_addr_is_loopback normalizes IPv4-mapped IPv6 addresses before the loopback test; see GHSA-w4hf-cr3w-6h79 and commit b057acbebe721c8f2f202ddad5e16289e295c754. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory coturn deployments and document versions below 4.13.0. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
An exploitable heap out-of-bounds read vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. R
An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. Rated h
Coturn TURN/STUN server contains an access control bypass that allows remote attackers to reach blocked internal address
Stack buffer overflow in Coturn's OAuth token decoder (decode_oauth_token_gcm()) lets remote unauthenticated attackers c
Remote denial of service in Coturn TURN/STUN server allows unauthenticated attackers to crash ARM64 deployments with a s
In coturn before version 4.5.1.3, there is an issue whereby STUN/TURN response buffer is not initialized properly. Rated
SQL injection in the Coturn TURN/STUN server's HTTPS admin panel (versions prior to 4.12.0) allows an authenticated admi
Arbitrary file overwrite in Coturn prior to 4.13.0 is possible through the CLI management interface's `psd` (print sessi
Stored XSS in Coturn's web-admin HTTPS interface (all versions prior to 4.11.0) allows a TURN-level attacker to inject p
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42971