CVE-2025-52570 – letmeind

Package

Manager: cargo
Name: letmeind
Vulnerable Version: >=0 <10.2.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

EPSS: 0.00063 pctl0.1986

Details

letmein connection limiter allows an arbitrary amount of simultaneous connections ### Impact The connection limiter is implemented incorrectly. It allows an arbitrary amount of simultaneously incoming connections (TCP, UDP and Unix socket) for the services `letmeind` and `letmeinfwd`. Therefore, the command line option `num-connections` is not effective and does not limit the number of simultaneously incoming connections. `letmeind` is the public network facing daemon (TCP/UDP). `letmeinfwd` is the internal firewall daemon that only listens on local Unix socket. Possible Denial Of Service by resource exhaustion. ### Affected versions All versions `<= 10.2.0` are affected. ### Patches All users shall upgrade to version `10.2.1`. ### Workarounds Untested possible workarounds: - It might be possible to limit the number of active connections to the `letmeind` port (default 5800) via firewall. - The resource consumption of the service might be restricted with a service manager such as systemd. ### Severity: If a (D)DoS is run against the service, *something* is going to be affected. The connection limiter assures that the effect on the system itself is limited at the expense of the effect on the letmein services itself. So even with the connection limiter active, a (D)DoS can lead to a less responsive or unresponsive letmein service.

Metadata

Created: 2025-06-23T21:24:59Z
Modified: 2025-06-27T23:08:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-jpv7-p47h-f43j/GHSA-jpv7-p47h-f43j.json
CWE IDs: ["CWE-770"]
Alternative ID: GHSA-jpv7-p47h-f43j
Finding: F002
Auto approve: 1