CVE-2025-68274 – A nil pointer dereference vulnerability in SIPG... (How to Fix)

Q: What is the severity of CVE-2025-68274?

CVE-2025-68274 has a CVSS score of 7.5 (HIGH). A nil pointer dereference vulnerability in SIPGO library's NewResponseFromRequest function allows remote attackers to crash SIP applications by sending a single malformed SIP request without a To header. This affects all SIP applications using the vulnerable library versions for routine operations like call setup and authentication. The vulnerability is triggered when parsing succeeds for requests missing the To header but response creation assumes its existence without proper nil checks.

📋 TL;DR

A nil pointer dereference vulnerability in SIPGO library's NewResponseFromRequest function allows remote attackers to crash SIP applications by sending a single malformed SIP request without a To header. This affects all SIP applications using the vulnerable library versions for routine operations like call setup and authentication. The vulnerability is triggered when parsing succeeds for requests missing the To header but response creation assumes its existence without proper nil checks.

💻 Affected Systems

Products:

SIPGO library
Any SIP application built with SIPGO library

Versions: 0.3.0 to 1.0.0-alpha-1 (excluding 1.0.0-alpha-1)

Operating Systems: All operating systems running Go applications

Default Config Vulnerable: ⚠️ Yes

Notes: All applications using the NewResponseFromRequest function are affected regardless of configuration. The vulnerability is in core library code, not dependent on specific application settings.

📦 What is this software?

Sipgo by Emiago

View all CVEs affecting Sipgo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for SIP services, disrupting voice/video communications, authentication systems, and messaging functionality across affected applications.

🟠

Likely Case

Service crashes and restarts causing intermittent service disruption, potentially leading to call drops, failed authentications, and degraded SIP service availability.

🟢

If Mitigated

Minimal impact with proper network controls and monitoring; crashes would be detected and services could auto-restart with minimal downtime.

🌐 Internet-Facing: HIGH - Remote attackers can exploit without authentication using a single malformed packet, making internet-facing SIP services particularly vulnerable to DoS attacks.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could still cause service disruption, but attack surface is reduced compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only sending a single malformed SIP request without a To header. No authentication or special conditions needed. The simplicity makes weaponization highly likely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.0-alpha-1

Vendor Advisory: https://github.com/emiago/sipgo/security/advisories/GHSA-c623-f998-8hhv

Restart Required: Yes

Instructions:

1. Update SIPGO dependency to version 1.0.0-alpha-1 or later
2. Run 'go get github.com/emiago/sipgo@v1.0.0-alpha-1'
3. Rebuild and redeploy your SIP application
4. Restart all affected services

🔧 Temporary Workarounds

Input Validation Wrapper

all

Implement custom wrapper around NewResponseFromRequest that validates To header exists before calling the vulnerable function

// Go code example:
func SafeNewResponseFromRequest(req *sip.Request) (*sip.Response, error) {
    if req.To == nil {
        return nil, errors.New("missing To header")
    }
    return sip.NewResponseFromRequest(req)
}

🧯 If You Can't Patch

Implement network-level filtering to block SIP requests without To headers using SIP-aware firewalls or WAFs
Deploy rate limiting and anomaly detection to identify and block malformed SIP request patterns

🔍 How to Verify

Check if Vulnerable:

Check go.mod or go.sum for SIPGO dependency version. If version is >=0.3.0 and <1.0.0-alpha-1, the application is vulnerable.

Check Version:

grep -i sipgo go.mod || grep -i sipgo go.sum

Verify Fix Applied:

Verify SIPGO version is 1.0.0-alpha-1 or later in go.mod and test with malformed SIP requests (without To header) to ensure service doesn't crash.

📡 Detection & Monitoring

Log Indicators:

Application crashes/panics with nil pointer dereference errors
SIP service restarts without clear cause
Error logs mentioning 'panic', 'nil pointer', or 'To header'

Network Indicators:

SIP requests without To headers in network traffic
Abnormal SIP message patterns from single sources
Spike in malformed SIP packets

SIEM Query:

source="application.logs" AND ("panic" OR "nil pointer" OR "To header") AND process="sip_application"

📊 Metadata

CVE ID: CVE-2025-68274

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.53% exploit probability (66.9th percentile)

Published: December 16, 2025

Last Updated: March 5, 2026

🔗 References

https://github.com/emiago/sipgo/commit/dc9669364a154ec6d134e542f6a63c31b5afe6e8 Patch
https://github.com/emiago/sipgo/security/advisories/GHSA-c623-f998-8hhv Vendor Advisory,Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68274, you might also want to check these: