Tags › CVE-2025-53399
rtpengine: RTP Inject and RTP Bleed vulnerabilities despite proper configuration
Published on Jul 31, 2025 in CVE-2025-53399, rtpengine, owasp, security advisory
- CVSS v4.0
- Exploitability: High
- Complexity: Low
- Vulnerable system: Medium
- Subsequent system: Medium
- Exploitation: High
- Security requirements: High
- Vector: link
- Other references: CVE-2025-53399
- Fixed versions: >= mr13.4.1.1
- Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2025-01-rtpengine-improper-behavior-bleed-inject/
- Reproduction tools: https://github.com/EnableSecurity/advisories/tree/master/ES2025-01-rtpengine-improper-behavior-bleed-inject
- Tested vulnerable versions: mr13.3.1.4 and lower
- Timeline:
- First report: 2025-04-24
- Triaged: 2025-04-30
- Fix provided for testing: 2025-05-05
- Various back and forth and more fixes: 2025-05 / 2025-06
- Vendor applied all fixes satisfactorily to master branch: 2025-06-05
- Enable Security verified and confirmed fix: 2025-06-26
- Vendor release with fix (mr13.4.1.1): 2025-07-03
- Enable Security advisory: 2025-07-31
Description
Media servers often support source address learning to dynamically adapt to network conditions and client behavior. This is especially useful in scenarios involving NAT where the source IP and port of incoming RTP packets may differ from what was initially signaled via SDP over SIP. However, this mechanism can be exploited for two types of attacks if malicious packets are accepted as legitimate:
…