UPnP/miniupnpd in 2024

I'll add a bit of what I know, although I don't use upnp and wouldn't recommend it.

The original upnp implementations would allow a device to request ports to be opened/forwarded to any address that they specified. This meant that a compromised computer could, in theory, poke holes in the router's firewall and have that traffic forwarded to any other device on the network. This obviously presents a major attack vector within a network that could silently compromise many other hosts.

Later implementations have theoretically addressed this by only allowing port-forwarding of traffic to the host that actually makes the request. In Ubiquiti's EdgeMax line of routers, this is known a upnp2. Per the link above, that would be the "secure mode" option in OpenWrt's implementation.

However, even with the upnp2/secure mode configuration, it still presents a risk insofar as a compromised host could still open ports to itself, allowing remote access for data access or other remote execution attacks.

Presumably, if the int_address is configured to point to only the host(s) that explicitly should have upnp enabled (such as a game console), this significantly limits the potential attack surfaces. This still assumes that the game console or other device will only open ports for legitimate purposes (i.e. the host itself is not compromised and the app is trustworthy)... after all, a rogue app could still serve as a springboard to gain entry into the network via the allowed upnp host(s). And, in fact, it doesn't have to be a rogue app, per-se... it could be a legit app that happens to have a security vulnerability.

With all that said, I personally recommend manual port forwarding, and only when necessary. I'd avoid upnp because, by its nature, it does things silently and without the explicit knowledge of the network administrator, raising the risk of compromises (even with port fowarding, the "legit app with a vulnerability" scenario could still be a liability, but at least the network admin would have knowingly opened the port rather than being surprised by the fact that a ports was opened).

That's my opinion, though... it's all a balance of security vs convenience, and that calculation is different for each person.