CVE-2025-49832

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-49832
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49832.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-49832
Aliases
  • GHSA-mrq5-74j5-f5cr
Downstream
Published
2025-08-01T17:57:29.933Z
Modified
2026-04-10T05:29:04.881563Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Asterisk is Vulnerable to Remote DoS and possible RCE Attacks During Memory Allocation
Details

Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in asterisk/res/res_stir_shaken /verification.c that can be exploited when an attacker can set an arbitrary Identity header, or STIR/SHAKEN is enabled, with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49832.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-476"
    ]
}
References

Affected packages

Git / github.com/asterisk/asterisk

Affected ranges

Type
GIT
Repo
https://github.com/asterisk/asterisk
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
544aceb34f061af5371994e9e0701e0231d4409f
Fixed
21d22b328a0ee310df50868c36d6d466d111f133
Fixed
ff38e11ded47cb69adc1ec0c14e2a45aa7bf50da
Fixed
9130399bb961771b0acd2a137c7dd64715ece417
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "18.26.3"
        },
        {
            "introduced": "20.00.0"
        },
        {
            "fixed": "20.15.1"
        },
        {
            "introduced": "21.00.0"
        },
        {
            "fixed": "21.10.1"
        },
        {
            "introduced": "22.00.0"
        },
        {
            "fixed": "22.5.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/asterisk/asterisk
Events
Introduced
5b15600bd766b21b12a5d73e3050e3ec4f2e8db9
Fixed
356f4d00876f07f6094f8d45a49229f29a3d59f0
Database specific 
{
    "versions": [
        {
            "introduced": "20.7-cert6"
        },
        {
            "fixed": "20.7-cert7"
        }
    ]
}

Affected versions

18.*
18.17.0
18.17.0-rc1
18.17.1
18.18.0
18.18.0-rc1
18.18.1
18.19.0
18.19.0-rc1
18.19.0-rc2
18.20.0
18.20.0-rc1
18.20.1
18.20.2
18.21.0
18.21.0-rc1
18.21.0-rc2
18.22.0
18.22.0-rc1
18.22.0-rc2
18.23.0
18.23.0-rc1
18.23.1
18.24.0
18.24.0-rc1
18.24.1
18.24.2
18.24.3
18.25.0
18.25.0-rc1
18.25.0-rc2
18.26.0
18.26.0-rc1
18.26.1
18.26.2
20.*
20.10.0
20.10.0-rc1
20.10.0-rc2
20.11.0
20.11.0-rc1
20.11.1
20.12.0
20.12.0-rc1
20.12.0-rc2
20.13.0
20.13.0-rc1
20.14.0
20.14.0-rc1
20.15.0
20.15.0-rc1
20.15.0-rc2
20.15.0-rc3
20.2.0
20.2.0-rc1
20.2.1
20.3.0
20.3.0-rc1
20.3.1
20.4.0
20.4.0-rc1
20.4.0-rc2
20.5.0
20.5.0-rc1
20.5.1
20.5.2
20.6.0
20.6.0-rc1
20.6.0-rc2
20.7.0
20.7.0-rc1
20.7.0-rc2
20.8.0
20.8.0-rc1
20.8.1
20.9.0
20.9.0-rc1
20.9.1
20.9.2
20.9.3
21.*
21.0.0
21.0.0-pre1
21.0.0-rc1
21.0.1
21.0.2
21.1.0
21.1.0-rc1
21.1.0-rc2
21.10.0
21.10.0-rc1
21.10.0-rc2
21.10.0-rc3
21.2.0
21.2.0-rc1
21.2.0-rc2
21.3.0
21.3.0-rc1
21.3.1
21.4.0
21.4.0-rc1
21.4.1
21.4.2
21.4.3
21.5.0
21.5.0-rc1
21.5.0-rc2
21.6.0
21.6.0-rc1
21.6.1
21.7.0
21.7.0-rc1
21.7.0-rc2
21.8.0
21.8.0-rc1
21.9.0
21.9.0-rc1
22.*
22.0.0
22.0.0-pre1
22.0.0-rc1
22.0.0-rc2
22.1.0
22.1.0-rc1
22.1.1
22.2.0
22.2.0-rc1
22.2.0-rc2
22.3.0
22.3.0-rc1
22.4.0
22.4.0-rc1
22.5.0
22.5.0-rc1
22.5.0-rc2
22.5.0-rc3
certified-20.*
certified-20.7-cert1-pre1
certified-20.7-cert6

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49832.json"