MEDIUM
The severity rating for Tunly is MEDIUM due to the potential security risks associated with improper configuration, such as misconfigured authentication tokens or outdated dependencies. Real-world exploitability depends heavily on user setup; if properly configured and maintained, the risk of exploitation is low.

Tunly is a modern, Rust-based alternative to ngrok that allows users to securely expose local development servers on their own domain. The tool uses automatic Let's Encrypt wildcard HTTPS and Caddy for secure connections, ensuring that data transmitted over the tunnel remains encrypted and authenticated. It provides simple token authentication and robust reconnect functionality, making it an attractive option for developers looking to avoid third-party relays like ngrok. However, as with any self-hosted solution, proper configuration is critical to prevent unauthorized access or exploitation of vulnerabilities in underlying components.

Affected Systems
  • Tunly
Affected Versions: all versions
Remediation
  • Ensure that the latest version of Tunly is installed by running `docker pull spidervirus/tunly` to get updates and security patches.
  • Configure strong authentication tokens for each tunnel instance in the configuration file located at `/etc/tunly/config.yaml`. Ensure tokens are rotated regularly.
  • Monitor logs for unusual activity using commands like `journalctl -u tunly.service` to detect potential unauthorized access attempts.
Stack Impact

For homelab stacks, Tunly's impact is primarily on development workflows where local services need public exposure. Docker and Caddy configurations are directly affected, as well as the specific configuration file for setting up tunnels.

Source →