CVE-2026-24902

Summary

TrustTunnel is an open-source VPN protocol with a server-side request forgery and and private network restriction bypass in versions prior to 0.9.114. In tcp_forwarder.rs, SSRF protection for allow_private_network_connections = false was only applied in the TcpDestination::HostName(peer) path. The TcpDestination::Address(peer) => peer path proceeded to TcpStream::connect() without equivalent checks (for example is_global_ip, is_loopback), allowing loopback/private targets to be reached by supplying a numeric IP. The vulnerability is fixed in version 0.9.114.

Affected Software

VendorProductVersion RangeStatus
TrustTunnelTrustTunnel< 0.9.114affected

Weaknesses

  • CWE-918: CWE-918: Server-Side Request Forgery (SSRF)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References