Random Number Generation Flaw in coturn TURN and STUN Server
CVE-2025-69217

7.7HIGH

Key Information:

Vendor

Coturn

Status
Coturn
Vendor
CVE Published:
30 December 2025

What is CVE-2025-69217?

This vulnerability in coturn involves improper random number generation that compromises the security of nonce creation and port randomization. Affected versions fail to utilize a secure random function, relying on libc's random() instead of the more secure openssl's RAND_bytes. This results in the potential for attackers to predict nonces and port allocations through a series of unauthenticated allocation requests, enabling unauthorized access while potentially spoofing IP addresses in environments like IoT. A patch addressing this issue is available in commit 11fc465f4bba70bb0ad8aae17d6c4a63a29917d9.

Affected Version(s)

coturn >= 4.6.2r5, <= 4.7.0-r4

References

https://github.com/coturn/coturn/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/coturn/coturn/commit/11fc465f4bba70bb0...
x_refsource_MISC
https://github.com/coturn/coturn/commit/88ced471385869d7e...
x_refsource_MISC

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.