CVE-2025-68274
Nil Pointer Dereference in SIPGO's NewResponseFromRequest Causes Remote Crash
Publication date: 2025-12-16
Last updated on: 2026-03-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| emiago | sipgo | From 0.30.0 (inc) to 1.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
| CWE-755 | The product does not handle or incorrectly handles an exceptional condition. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a nil pointer dereference in the SIPGO library's `NewResponseFromRequest` function. It occurs when a SIP request is missing the To header, which the response creation code assumes exists without proper checks. As a result, a remote attacker can send a single malformed SIP request without a To header to crash any SIP application using this library.
How can this vulnerability impact me? :
The vulnerability allows remote attackers to crash any SIP application that uses the SIPGO library by sending a malformed SIP request without a To header. This can disrupt normal SIP operations such as call setup, authentication, and message handling, potentially causing denial of service.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the SIPGO library to version 1.0.0-alpha-1 or later, which contains a patch for the issue. Avoid using vulnerable versions (0.3.0 up to but not including 1.0.0-alpha-1) in your SIP applications.