GHSA-f26w-gh5m-qq77
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f26w-gh5m-qq77
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-f26w-gh5m-qq77/GHSA-f26w-gh5m-qq77.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f26w-gh5m-qq77
- Aliases
- Related
- Published
- 2025-06-09T20:29:40Z
- Modified
- 2025-06-10T17:59:27.942763Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Pion Interceptor's improper RTP padding handling allows remote crash for SFU users (DoS)
- Details
-
Impact
Pion Interceptor versions v0.1.36 through v0.1.38 contain a bug in a RTP packet factory that can be exploited to trigger a panic with Pion based SFU via crafted RTP packets, This only affect users that use pion/interceptor.
Patches
Upgrade to v0.1.39 or later, which includes PR #338 which validates that:
padLen > 0 && padLen <= payloadLengthand return error on overflow, avoiding panic.If upgrading is not possible, apply the patch from the pull request manually or drop packets whose P-bit is set but whose padLen is zero or larger than the remaining payload.
Workarounds
At the application layer, reject any RTP packet where:
hasPadding (P-bit field) == true && (padLen == 0 || padLen > packetLen – headerLen)before passing it to Pion’s packet factories.
References
Commit fixing the bug: https://github.com/pion/interceptor/commit/fa5b35ea867389cec33a9c82fffbd459ca8958e5 Pull request: https://github.com/pion/interceptor/pull/338 Issue: https://github.com/pion/webrtc/issues/3148
- Database specific
{ "nvd_published_at": "2025-06-09T22:15:22Z", "cwe_ids": [ "CWE-770" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-06-09T20:29:40Z" }- References
-
- https://github.com/pion/interceptor/security/advisories/GHSA-f26w-gh5m-qq77
- https://nvd.nist.gov/vuln/detail/CVE-2025-49140
- https://github.com/pion/webrtc/issues/3148
- https://github.com/pion/interceptor/pull/338
- https://github.com/pion/interceptor/commit/fa5b35ea867389cec33a9c82fffbd459ca8958e5
- https://github.com/pion/interceptor
Affected packages
Go / github.com/pion/interceptor
Package
- Name
- github.com/pion/interceptor
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/pion/interceptor