CVE-2025-52570

LOW

Letmein <10.2.1 - DoS

Title source: llm

Description

Letmein is an authenticating port knocker. Prior to version 10.2.1, The connection limiter is implemented incorrectly. It allows an arbitrary amount of simultaneously incoming connections (TCP, UDP and Unix socket) for the services letmeind and letmeinfwd. Therefore, the command line option num-connections is not effective and does not limit the number of simultaneously incoming connections. This issue has been patched in version 10.2.1.

References (2)

[Vendor Advisory] https://github.com/mbuesch/letmein/security/advisories/GHSA-jpv7-p47h-f43j

[Patch] https://github.com/mbuesch/letmein/commit/43207cd77580410d97165d1e3c07361ba6f3558c

View Patch ZIP pw:eip

Scores

CVSS v4 1.7

EPSS 0.0015

EPSS Percentile 35.2%

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-770 CWE-799

Status published

Products (3)

crates.io/letmeind 0 - 10.2.1crates.io

crates.io/letmeinfwd 0 - 10.2.1crates.io

mbuesch/letmein < 10.2.1

Published Jun 24, 2025

Tracked Since Feb 18, 2026