CVE-2025-52570: letmein connection limiter allows an arbitrary amount of simultaneous connections

June 23, 2025 (updated June 27, 2025)

The connection limiter is implemented incorrectly. It allows an arbitrary amount of simultaneously incoming connections (TCP, UDP and Unix socket) for the services letmeind and letmeinfwd. Therefore, the command line option num-connections is not effective and does not limit the number of simultaneously incoming connections.

letmeind is the public network facing daemon (TCP/UDP).

letmeinfwd is the internal firewall daemon that only listens on local Unix socket.

Possible Denial Of Service by resource exhaustion.

References

github.com/advisories/GHSA-jpv7-p47h-f43j
github.com/mbuesch/letmein
github.com/mbuesch/letmein/commit/43207cd77580410d97165d1e3c07361ba6f3558c
github.com/mbuesch/letmein/security/advisories/GHSA-jpv7-p47h-f43j
nvd.nist.gov/vuln/detail/CVE-2025-52570

Code Behaviors & Features

Detect and mitigate CVE-2025-52570 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →