Conntrack helpers can be a security issue if not implemented correctly. Nftables for example notes:
If you use a helper to forward traffic to a host behind your stateful router, it is critical that you use a daddr expression to restrict such traffic to that specific host in both Rule 2 (helper assignment) and in a rule similar to Rule 3b (related packets) in your forward filter chain(s). Otherwise the helper may allow allow arbitrary port forwarding, much like allowing untrusted remote hosts to inject "dnat"-based port forwarding rules.
We should therefore add the means to extend firewall rules to secure the use of conntrack helpers.
Proposed syntax:
set firewall ipv4 [forward filter|name N] rule N conntrack-helper [ftp|pptp|...]
Ref: