Unrated severityOSV Advisory· Published Jan 29, 2026· Updated Jan 29, 2026

TrustTunnel has SSRF and private network restriction bypass via numeric address destinations

CVE-2026-24902

Description

TrustTunnel is an open-source VPN protocol with a server-side request forgery and and private network restriction bypass in versions prior to 0.9.114. In tcp_forwarder.rs, SSRF protection for allow_private_network_connections = false was only applied in the TcpDestination::HostName(peer) path. The TcpDestination::Address(peer) => peer path proceeded to TcpStream::connect() without equivalent checks (for example is_global_ip, is_loopback), allowing loopback/private targets to be reached by supplying a numeric IP. The vulnerability is fixed in version 0.9.114.

Affected products

Trusttunnel/TrusttunnelOSV
Range: v0.9.100, v0.9.102, v0.9.105, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/TrustTunnel/TrustTunnel/commit/734bb5cf103b72390a95c853cbf91e699cc01bc0mitrex_refsource_MISC
github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-hgr9-frvw-5r76mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000