Security-relevant releases for GUPnP issue CVE-2021-33516


I just released GUPnP 1.0.7 and GUPnP 1.2.5 which contain an important fix for a potential DNS rebind attack.

A malicious website could trick UPnP services implemented with GUPnP to react to requests coming from that website, leading to e.g. data exfiltration or unwanted or harmful remote calls from said website

Upgrading is strongly recommended.

The relevant commits are and

Note: This fix might cause compatibility issues with older broken UPnP clients. CVE id for this is currently pending assignment.

Mitigation: Using a DNS resolver that prevents DNS rebinding

I accidentally made GUPnP depend on the unreleased 1.2.4 version of GSSDP. This is not necessary, it works fine with 1.2.3.

I rolled a 1.2.6 with lowered dependencies, sorry again.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.