CVE-2025-68274
Unknown Unknown - Not Provided
Nil Pointer Dereference in SIPGO's NewResponseFromRequest Causes Remote Crash

Publication date: 2025-12-16

Last updated on: 2026-03-05

Assigner: GitHub, Inc.

Description
SIPGO is a library for writing SIP services in the GO language. Starting in version 0.3.0 and prior to version 1.0.0-alpha-1, a nil pointer dereference vulnerability is in the SIPGO library's `NewResponseFromRequest` function that affects all normal SIP operations. The vulnerability allows remote attackers to crash any SIP application by sending a single malformed SIP request without a To header. The vulnerability occurs when SIP message parsing succeeds for a request missing the To header, but the response creation code assumes the To header exists without proper nil checks. This affects routine operations like call setup, authentication, and message handling - not just error cases. This vulnerability affects all SIP applications using the sipgo library, not just specific configurations or edge cases, as long as they make use of the `NewResponseFromRequest` function. Version 1.0.0-alpha-1 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-16
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2025-12-17
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68274
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
emiago sipgo From 0.30.0 (inc) to 1.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
CWE-755 The product does not handle or incorrectly handles an exceptional condition.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a nil pointer dereference in the SIPGO library's `NewResponseFromRequest` function. It occurs when a SIP request is missing the To header, which the response creation code assumes exists without proper checks. As a result, a remote attacker can send a single malformed SIP request without a To header to crash any SIP application using this library.

Impact Analysis

The vulnerability allows remote attackers to crash any SIP application that uses the SIPGO library by sending a malformed SIP request without a To header. This can disrupt normal SIP operations such as call setup, authentication, and message handling, potentially causing denial of service.

Mitigation Strategies

To mitigate this vulnerability, upgrade the SIPGO library to version 1.0.0-alpha-1 or later, which contains a patch for the issue. Avoid using vulnerable versions (0.3.0 up to but not including 1.0.0-alpha-1) in your SIP applications.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68274. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart