Coturn Project Coturn vulnerabilities
11 known vulnerabilities affecting coturn_project/coturn.
Total CVEs
11
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH5MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2018-4056P2CRITICALCVSS 9.8fixed in 4.5.0.92019-02-05
CVE-2018-4056 [CRITICAL] CWE-89 CVE-2018-4056: An exploitable SQL injection vulnerability exists in the administrator web portal function of coTURN
An exploitable SQL injection vulnerability exists in the administrator web portal function of coTURN prior to version 4.5.0.9. A login message with a specially crafted username can cause an SQL injection, resulting in authentication bypass, which could give access to the TURN server administrator web portal. An attacker can log in via the external in
nvdosv
CVE-2026-43994P2CRITICALCVSS 9.8fixed in 4.10.02026-06-18
CVE-2026-43994 [CRITICAL] CWE-120 CVE-2026-43994: Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.10.0 contai
Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.10.0 contain a stack buffer overflow in decode_oauth_token_gcm(). A uint16_t nonce_len field read from an attacker-supplied OAuth access token (0-65535) is passed directly to memcpy() as the copy length into a 256-byte stack buffer (oauth_encrypted_block.nonce
nvd
CVE-2018-4059P3CRITICALCVSS 9.8fixed in 4.5.0.92019-03-21
CVE-2018-4059 [CRITICAL] CWE-862 CVE-2018-4059: An exploitable unsafe default configuration vulnerability exists in the TURN server function of coTU
An exploitable unsafe default configuration vulnerability exists in the TURN server function of coTURN prior to version 4.5.0.9. By default, the TURN server runs an unauthenticated telnet admin portal on the loopback interface. This can provide administrator access to the TURN server configuration, which can lead to additional attacks. An attacker w
nvdosv
CVE-2020-6061P3CRITICALCVSS 9.8v4.5.1.1vCoTURN 4.5.1.12020-02-19
CVE-2020-6061 [CRITICAL] CWE-125 CVE-2020-6061: An exploitable heap out-of-bounds read vulnerability exists in the way CoTURN 4.5.1.1 web server par
An exploitable heap out-of-bounds read vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to information leaks and other misbehavior. An attacker needs to send an HTTPS request to trigger this vulnerability.
nvdosv
CVE-2026-40613P3HIGHCVSS 7.5fixed in 4.10.02026-04-21
CVE-2026-40613 [HIGH] CWE-704 CVE-2026-40613: Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN
Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe pointer casts from uint8_t * to uint16_t * without alignment checks. When processing a crafted STUN message with odd-aligned attribute boundaries, this results in misaligned memory reads at ns_turn_msg
nvd
CVE-2020-4067P3HIGHCVSS 7.5fixed in 4.5.1.32020-06-29
CVE-2020-4067 [HIGH] CWE-665 CVE-2020-4067: In coturn before version 4.5.1.3, there is an issue whereby STUN/TURN response buffer is not initial
In coturn before version 4.5.1.3, there is an issue whereby STUN/TURN response buffer is not initialized properly. There is a leak of information between different client connections. One client (an attacker) could use their connection to intelligently query coturn to get interesting bytes in the padding bytes from the connection of another client. This
nvdosv
CVE-2018-4058P3HIGHCVSS 7.7fixed in 4.5.0.92019-03-21
CVE-2018-4058 [HIGH] CVE-2018-4058: An exploitable unsafe default configuration vulnerability exists in the TURN server functionality of
An exploitable unsafe default configuration vulnerability exists in the TURN server functionality of coTURN prior to 4.5.0.9. By default, the TURN server allows relaying external traffic to the loopback interface of its own host. This can provide access to other private services running on that host, which can lead to further attacks. An attacker can set up a r
nvdosv
CVE-2020-26262P3HIGHCVSS 7.2fixed in 4.5.22021-01-13
CVE-2020-26262 [HIGH] CWE-441 CVE-2020-26262: Coturn is free open source implementation of TURN and STUN Server. Coturn before version 4.5.2 by de
Coturn is free open source implementation of TURN and STUN Server. Coturn before version 4.5.2 by default does not allow peers to connect and relay packets to loopback addresses in the range of `127.x.x.x`. However, it was observed that when sending a `CONNECT` request with the `XOR-PEER-ADDRESS` value of `0.0.0.0`, a successful response was received
nvdosv
CVE-2020-6062P3HIGHCVSS 7.5v4.5.1.1vCoTURN 4.5.1.12020-02-19
CVE-2020-6062 [HIGH] CWE-476 CVE-2020-6062: An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses PO
An exploitable denial-of-service vulnerability exists in the way CoTURN 4.5.1.1 web server parses POST requests. A specially crafted HTTP POST request can lead to server crash and denial of service. An attacker needs to send an HTTP request to trigger this vulnerability.
nvdosv
CVE-2026-27624P3MEDIUMCVSS 6.5fixed in 4.9.02026-02-25
CVE-2026-27624 [MEDIUM] CVE-2026-27624: Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured t
Coturn is a free open source implementation of TURN and STUN Server. Coturn is commonly configured to block loopback and internal ranges using "denied-peer-ip" and/or default loopback restrictions. CVE-2020-26262 addressed bypasses involving "0.0.0.0", "[::1]" and "[::]", but IPv4-mapped IPv6 is not covered. When sending a "CreatePermission" or "ChannelBind
nvd
CVE-2026-43915P4MEDIUMCVSS 5.4fixed in 4.11.02026-06-18
CVE-2026-43915 [MEDIUM] CWE-79 CVE-2026-43915: Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.11.0 contai
Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.11.0 contain a stored cross-site scripting (XSS) vulnerability in the web-admin HTTPS interface. An attacker who can create a TURN allocation with a crafted USERNAME value can inject HTML/JavaScript that executes when an authenticated web-admin user views the TUR
nvd