Hello,
I just released GUPnP 1.0.7 and GUPnP 1.2.5 which contain an important fix for a potential DNS rebind attack.
A malicious website could trick UPnP services implemented with GUPnP to react to requests coming from that website, leading to e.g. data exfiltration or unwanted or harmful remote calls from said website
Upgrading is strongly recommended.
The relevant commits are
https://gitlab.gnome.org/GNOME/gupnp/-/commit/ca6ec9dcb26fd7a2a630eb6a68118659b589afac and https://gitlab.gnome.org/GNOME/gupnp/-/commit/05e964d48322ff23a65c6026d656e4494ace6ff9.
Note: This fix might cause compatibility issues with older broken UPnP clients. CVE id for this is currently pending assignment.
Mitigation: Using a DNS resolver that prevents DNS rebinding