Redazione RHC : 22 September 2025 21:12
An independent researcher named Andreas, who runs the blog Anagogistis , has discovered serious vulnerabilities in Pure VPN’s Linux clients that compromise basic anonymity and traffic security. The issues affect both the graphical (2.10.0) and console (2.0.1) versions. Both were tested on Ubuntu 24.04.3 LTS.
The main vulnerability arises because when reconnecting to Wi-Fi or waking the system from sleep mode, the user’s true IPv6 address becomes visible. In the console client with the Internet Kill Switch feature enabled, the service automatically reports the connection resumption, but during this time the system receives IPv6 routes via Router Advertisement, causing packets to bypass the VPN tunnel. Since the ip6tables policy remains ACCEPT by default, traffic leaves the computer directly.
The graphical client introduces an even greater risk. When the connection is dropped, it properly blocks IPv4 and displays a session loss notification, but IPv6 traffic continues to flow unrestricted until the user manually clicks the Reconnect button. This leaves a significant delay during which data is transmitted to the open Internet.
Equally dangerous is the client’s handling of firewall settings. When establishing a VPN connection, it completely erases the existing iptables configuration, sets INPUT to ACCEPT, and deletes custom rules, including UFW, Docker Chain , and its own security policies. Once the VPN connection is terminated, these changes are not reversed, leaving the system more vulnerable than before the connection.
The specialist who identified the issues submitted detailed reports and demonstration videos to PureVPN via the company’s vulnerability disclosure program at the end of August 2025. However, for three weeks, the service failed to respond or provide users with information about the risks.
In practice, this means that PureVPN Linux client users can access IPv6-enabled websites or send emails with the confidence that the VPN is working, even if their real address has already been disclosed to the provider . The simultaneous presence of an IPv6 flaw and corrupted firewall rules indicates a fundamental violation of the fundamental security principles on which trust in VPN services is based.
Redazione