Two critical security issues affecting PureVPN’s Linux clients can lead to IPv6 traffic leaking outside the encrypted tunnel and permanent changes to host firewall rules, exposing users to unintended network risks.
The flaws are tracked under CVE-2025-59691 and CVE-2025-59692, and as of this writing, the VPN vendor has not pushed fixes, so they remain unresolved and exploitable.
Leaking user traffic
The issues were discovered by a Greek security researcher who tested PureVPN’s GUI (v2.10.0) and CLI (v2.0.1) clients on Ubuntu 24.04.3 LTS with kernel 6.8.0 and iptables-nft. In a detailed report, the researcher demonstrated how network transitions such as disconnecting and reconnecting Wi-Fi or resuming from sleep could silently bypass the VPN tunnel for IPv6 traffic.
In the case of the CLI client with Internet Kill Switch (IKS) enabled, the VPN auto-reconnected and appeared to be functioning correctly. However, the system accepted Router Advertisements (RAs) and established a default IPv6 route (e.g., fe80::1), allowing IPv6 traffic to bypass the VPN entirely. The GUI client, also with IKS enabled, displayed a disconnected state and blocked IPv4 as expected, but allowed IPv6 traffic to continue until the user manually reconnected. Since the default ip6tables OUTPUT policy was set to ACCEPT, no rules blocked this traffic.
PureVPN, operated by GZ Systems Ltd., is a long-standing VPN product known for offering a wide range of clients and supporting features like split tunneling, WireGuard, and multi-hop routing. These latest findings, however, raise concerns about the reliability of its Linux clients in enforcing tunnel integrity and local firewall configurations.
Firewall misconfigurations
The second issue identified concerns the host system’s firewall. When either the GUI or CLI client connects, it modifies iptables rules in ways that may undermine user-defined security configurations. Specifically:
- The default policy for the INPUT chain is changed to ACCEPT.
- All appended rules (-A) are flushed, including those set by user tools like UFW or Docker.
- These changes are not restored upon VPN disconnection.
In practice, this means users who expect their firewall rules to persist may unknowingly be left with a significantly weakened local firewall after using the VPN. For instance, rules to block inbound ICMP traffic or drop unsolicited packets may be silently removed and not reinstated.
The researcher reported both issues to PureVPN in late August 2025. As of publication, the bugs remain unresolved, and users are advised to take precautions to prevent traffic leaks and firewall misconfigurations.
Specifically, consider disabling IPv6 if not required, either via /etc/sysctl.conf or network manager settings, and manually enforce firewall rules after VPN connections, especially INPUT policies. Using custom firewall scripts or tools like nftables that are re-applied after VPN sessions is also an effective strategy.
Leave a Reply