Tags › Coturn
Securing coturn: Configuration Guide
Published on Feb 25, 2026 in TURN security, coturn, server hardening, webrtc security
The coturn-specific companion to our TURN Server Security Best Practices guide. Copy-paste configuration blocks for access control, protocol hardening, rate limiting, and authentication, with three complete templates from minimal to high-security.…
coturn: access control bypass via loopback peer address
Published on Jan 11, 2021 in CVE-2020-26262, coturn, access control, security advisory
- Fixed version: 4.5.2
- Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2021-01-coturn-access-control-bypass/
- Coturn Security Advisory: https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p
- Other references:
- Tested vulnerable versions: 4.5.1.x
- Timeline:
- Report date: 2020-11-20
- Issue confirmed by coturn developers: 2020-11-23
- Security patch provided by Enable Security: 2020-11-30
- Refactoring by coturn developers: 2020-12-07 to 2020-12-10
- Joint Enable Security and Coturn project advisory publication: 2021-01-11
Description
By default coturn does not allow peers to connect and relay packets to loopback addresses in the range of 127.x.x.x. However, it was observed that when sending a CONNECT request with the XOR-PEER-ADDRESS value of 0.0.0.0, a successful response was received and subsequently, CONNECTIONBIND also received a successful response. Coturn then was able to relay packets to local network services.