CVE-2020-23622
Description
An issue in the UPnP protocol in 4thline cling 2.0.0 through 2.1.2 allows remote attackers to cause a denial of service via an unchecked CALLBACK parameter in the request header
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unchecked CALLBACK parameter in 4thline cling UPnP library allows remote DoS via SUBSCRIBE requests.
Vulnerability
Description CVE-2020-23622 is a vulnerability in the UPnP protocol implementation of 4thline cling versions 2.0.0 through 2.1.2. The flaw lies in the SUBSCRIBE request handler, where the CALLBACK header parameter is not properly validated [3]. This allows an attacker to supply arbitrary URIs in the CALLBACK field, which the server will then use to send event notifications.
Exploitation
An attacker can exploit this vulnerability by sending a specially crafted HTTP SUBSCRIBE request to a device using the affected cling library. No authentication is required, and the attack can be conducted remotely over the network [4]. The unchecked CALLBACK parameter enables server-side request forgery (SSRF) and can be used to force the device to send traffic to arbitrary IP addresses.
Impact
Successful exploitation can lead to denial of service (DoS) by overwhelming the target with network traffic [2]. Additionally, the vulnerability can be used for reflection-based amplified TCP DDoS attacks and intranet port scanning, as described in related research on the UPnP CallStranger flaw [2][4].
Mitigation
The 4thline cling project is no longer actively maintained and has reached end-of-life (EOL) [1]. No official patch is available. Users are advised to disable UPnP on devices using cling or migrate to alternative UPnP libraries.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.fourthline.cling:cling-coreMaven | >= 2.0.0, <= 2.1.2 | — |
Affected products
3- 4thline/clingdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Unchecked CALLBACK parameter in the UPnP SUBSCRIBE request header allows an attacker to control the destination of outbound connection attempts, enabling SSRF and DoS."
Attack vector
An attacker sends a specially crafted HTTP SUBSCRIBE request to a vulnerable UPnP device, controlling the CALLBACK header value [ref_id=1]. The device then attempts to establish a TCP handshake with multiple SYN packets to the attacker-supplied CALLBACK destination, which can flood arbitrary targets and cause a denial of service [ref_id=1]. This is a server-side request forgery (SSRF)-like attack vector [CWE-918] [ref_id=1].
Affected code
The vulnerability resides in the UPnP SUBSCRIBE function, where the CALLBACK header value is accepted without sufficient validation. The advisory identifies that the flaw exists in 4thline cling versions 2.0.0 through 2.1.2, but does not specify exact file paths or function names [ref_id=1].
What the fix does
The advisory does not provide a specific patch for 4thline cling. Instead, it notes that the Open Connectivity Foundation (OCF) made changes to the UPnP protocol specification at the protocol level, and manufacturers of affected devices are in the process of determining impact and releasing patches [ref_id=1]. No fix commit is published in the supplied bundle.
Preconditions
- networkTarget device must have UPnP enabled and be reachable on the network
- networkAttacker must be able to send an HTTP SUBSCRIBE request to the vulnerable device
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-c438-6f6r-pg8wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-23622ghsaADVISORY
- github.com/4thline/cling/issues/253ghsax_refsource_MISCWEB
- zh-cn.tenable.com/blog/cve-2020-12695-callstranger-vulnerability-in-universal-plug-and-play-upnp-puts-billions-ofghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.