CVE-2025-68274
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-68274
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68274.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-68274
- Aliases
- Published
- 2025-12-16T22:02:55.360Z
- Modified
- 2025-12-22T18:41:45.371479Z
- Severity
-
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- SIPGO library has response DoS vulnerability via nil pointer dereference
- Details
-
SIPGO is a library for writing SIP services in the GO language. Starting in version 0.3.0 and prior to version 1.0.0-alpha-1, a nil pointer dereference vulnerability is in the SIPGO library's
NewResponseFromRequestfunction that affects all normal SIP operations. The vulnerability allows remote attackers to crash any SIP application by sending a single malformed SIP request without a To header. The vulnerability occurs when SIP message parsing succeeds for a request missing the To header, but the response creation code assumes the To header exists without proper nil checks. This affects routine operations like call setup, authentication, and message handling - not just error cases. This vulnerability affects all SIP applications using the sipgo library, not just specific configurations or edge cases, as long as they make use of theNewResponseFromRequestfunction. Version 1.0.0-alpha-1 contains a patch for the issue. - Database specific
{ "cwe_ids": [ "CWE-476", "CWE-755" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68274.json", "cna_assigner": "GitHub_M" }- References