A critical security vulnerability has been discovered in PureVPN’s Linux clients that exposes users’ real IPv6 addresses during network reconnections, undermining the privacy protections that users expect from their VPN service.
The vulnerability affects both the graphical user interface (GUI version 2.10.0) and command-line interface (CLI version 2.0.1) on Linux systems, specifically tested on Ubuntu 24.04.3 LTS.
IPv6 Protection Failures Create Privacy Risks
The primary vulnerability occurs when users toggle Wi-Fi connections or resume their systems from suspend mode.
During these network state changes, PureVPN’s client fails to maintain proper IPv6 protections, creating a significant privacy leak.
In CLI mode with Internet Kill Switch (IKS) enabled, the client automatically reconnects and reports a “connected” status to users.
However, behind the scenes, the system regains a default IPv6 route through Router Advertisements, allowing IPv6 traffic to bypass the VPN tunnel entirely.
Since the ip6tables OUTPUT policy remains set to ACCEPT by default, internet traffic resumes flowing outside the protected tunnel without user knowledge.
The GUI client presents an even more concerning scenario. When a disconnection is detected, the interface properly blocks IPv4 traffic and displays a “VPN session disconnected” dialog to alert users.
Unfortunately, IPv6 functionality continues operating normally until users manually click the Reconnect button, leaving a substantial window of vulnerability.
Firewall Configuration Compromised
Beyond the IPv6 leakage issue, PureVPN’s connection process fundamentally compromises users’ existing firewall configurations.
When establishing a VPN connection, the client completely wipes the user’s iptables configuration, setting INPUT policies to ACCEPT and flushing all custom rules including UFW protections, Docker jump rules, and user-defined security policies.
Most critically, these firewall changes are never reverted when users disconnect from the VPN service.
This means systems remain significantly more exposed to network threats after using PureVPN than they were before connecting, directly contradicting user expectations and defeating the purpose of implementing local firewall protections.
The security researcher who discovered these vulnerabilities submitted comprehensive technical reports and demonstration videos to PureVPN’s security team in late August 2025 through their Vulnerability Disclosure Program.
Despite three weeks passing since the initial disclosure, PureVPN has provided no acknowledgment or response regarding these critical security issues.
These vulnerabilities have immediate real-world impact, allowing users to browse IPv6-enabled websites and send emails through their internet service provider’s IPv6 addresses while believing they remain protected by their VPN connection.
The combination of IPv6 leakage and compromised firewall states represents a fundamental failure in PureVPN’s core security promises to users.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
