Tags › Sipgo
SIPGO: Response DoS vulnerability via nil pointer dereference
Published on Dec 17, 2025 in CVE-2025-68274, sipgo, denial of service, security advisory
- CVSS v4.0
- Exploitability: High
- Complexity: Low
- Vulnerable system: High
- Subsequent system: None
- Exploitation: High
- Security requirements: High
- Vector: link
- Other references:
- CVE-2025-68274
- GHSA-c623-f998-8hhv
- CWE-476: NULL Pointer Dereference
- CWE-755: Improper Handling of Exceptional Conditions
- Fixed versions: >= v1.0.0-alpha-1
- Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2025-02-sipgo-response-dos/
- Reproduction tools: https://github.com/EnableSecurity/advisories/tree/master/ES2025-02-sipgo-response-dos
- Tested vulnerable versions: >= v0.3.0, < v1.0.0-alpha-1
- Timeline:
- First discovery: 2025-08-31
- Root cause analysis: 2025-08-31
- Fix developed: 2025-08-31
- Regression tests created: 2025-08-31
- Enable Security advisory: 2025-12-17
Description
A nil pointer dereference vulnerability was discovered in the SIPGO library’s NewResponseFromRequest function that affects all normal SIP operations. The vulnerability allows remote attackers to crash any SIP application by sending a single malformed SIP request without a To header.
