Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in coTURN - CVE-2025-69217
Published: January 7, 2026
Vulnerability identifier: #VU121011
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-69217
CWE-ID: CWE-338
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: coTURN
Affected software:
coTURN
coTURN
Detailed vulnerability description
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to usage of bad random number generator for nonces and port randomization after refactoring. A remote attacker can send 50 unauthenticated allocations requests and completely reconstruct the current state of the random number generator, leading to spoofing. authentication bypass and denial of service.
How to mitigate CVE-2025-69217
Install updates from vendor's website.