CVE-2018-6849

MEDIUM

DuckDuckGo 4.2.0 - Private IP Address Exposure via WebRTC STUN Request

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-6849. PoCs published by Dhiraj Mishra, Daniel Roesler, Dhiraj Mishra, including Metasploit module auxiliary/gather/browser_lanipleak.

AI-analyzed exploit summary This Metasploit module exploits a WebRTC vulnerability (CVE-2018-6849) to leak private IP addresses by tricking browsers into revealing local network IPs via STUN requests. It sets up an HTTP server to deliver malicious JavaScript and collect leaked IPs via POST requests.

Description

In the WebRTC component in DuckDuckGo 4.2.0, after visiting a web site that attempts to gather complete client information (such as https://ip.voidsec.com), the browser can disclose a private IP address in a STUN request.

Exploits (2)

exploitdb WORKING POC
by Dhiraj Mishra · rubywebappsmultiple
https://www.exploit-db.com/exploits/44403

This Metasploit module exploits a WebRTC vulnerability (CVE-2018-6849) to leak private IP addresses by tricking browsers into revealing local network IPs via STUN requests. It sets up an HTTP server to deliver malicious JavaScript and collect leaked IPs via POST requests.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Web browsers with WebRTC support (e.g., Chrome, Firefox)
No auth needed
Prerequisites: Victim must visit attacker-controlled webpage · WebRTC must be enabled in the browser
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by Daniel Roesler, Dhiraj Mishra · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/browser_lanipleak.rb

This Metasploit module exploits WebRTC to gather LAN IP addresses from a browser by leveraging STUN server requests and ICE candidate parsing. It serves a malicious HTML page that extracts the client's internal IP and sends it back to the attacker.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Browsers supporting WebRTC (Chrome, Firefox, etc.)
No auth needed
Prerequisites: Victim must visit the malicious URL · Browser must support WebRTC
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/rapid7/metasploit-framework/pull/9538
Third Party Advisory x_refsource_misc
https://voidsec.com/vpn-leak/
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44403/
Third Party Advisory x_refsource_misc
https://news.ycombinator.com/item?id=16699270

Scores

CVSS v3 4.3
EPSS 0.7531
EPSS Percentile 98.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Details

CWE
CWE-200
Status published
Products (1)
duckduckgo/duckduckgo 4.2.0
Published Apr 01, 2018
Tracked Since Feb 18, 2026