Home

Description

OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote authenticated server to inject shell commands via DNS variables when --dns-updown is in use

PUBLISHED Reserved 2025-09-18 | Published 2025-10-24 | Updated 2025-10-25 | Assigner OpenVPN

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unaffected

2.7_alpha1 (semver)
affected

References

community.openvpn.net/Security Announcements/CVE-2025-10680 vendor-advisory

www.mail-archive.com/...@lists.sourceforge.net/msg00149.html release-notes

cve.org (CVE-2025-10680)

nvd.nist.gov (CVE-2025-10680)

Download JSON