Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Pion Interceptor is a framework for building RTP/RTCP communication software. Versions v0.1.36 through v0.1.38 contain a bug in a RTP packet factory that can be exploited to trigger a panic with Pion based SFU via crafted RTP packets, This only affect users that use pion/interceptor. Users should upgrade to v0.1.39 or later, which validates that: padLen > 0 && padLen <= payloadLength and return error on overflow, avoiding panic. If upgrading is not possible, apply the patch from the pull request manually or drop packets whose P-bit is set but whose padLen is zero or larger than the remaining payload.
AnalysisAI
Pion Interceptor versions v0.1.36 through v0.1.38 contain a denial-of-service vulnerability in the RTP packet factory that allows unauthenticated remote attackers to trigger application panics via crafted RTP packets with malformed padding fields. This affects all applications using the Pion interceptor library for RTP/RTCP communication, with no authentication required and low attack complexity. The vulnerability has a CVSS score of 7.5 (High) with availability impact only; no evidence of active exploitation or public POC availability is documented.
Technical ContextAI
Pion Interceptor is a Go-based framework for implementing Real-Time Protocol (RTP) and Real-Time Control Protocol (RTCP) communication software, commonly used in selective forwarding units (SFUs) and WebRTC applications. The vulnerability exists in the RTP packet factory component that processes inbound RTP packets. The root cause is insufficient input validation of the RTP padding field: when the P-bit (padding bit) is set in the RTP header, the implementation fails to validate that padLen > 0 && padLen <= payloadLength before processing, leading to out-of-bounds access or integer overflow conditions classified under CWE-770 (Allocation of Resources Without Limits or Throttling). This allows attackers to craft malicious RTP packets where the padding length either exceeds remaining payload or is zero, causing the packet factory to panic rather than gracefully reject the packet. Affected products include pion/interceptor library (CPE: purl:github/pion/interceptor) in versions v0.1.36, v0.1.37, and v0.1.38.
RemediationAI
Immediate: Upgrade Pion Interceptor to v0.1.39 or later, which includes input validation that checks padLen > 0 && padLen <= payloadLength and returns an error on overflow instead of panicking. This is the recommended fix. Alternatively, if immediate upgrade is not feasible: (1) Manual patch application - apply the validation logic from the referenced pull request to local codebase; (2) Network-level mitigation - configure packet filtering or firewall rules to drop RTP packets with P-bit set (0x20 in the first byte of the RTP header) as a temporary workaround, though this may impact legitimate RTP padding use; (3) Application-level workaround - implement a wrapper that catches panics from the RTP packet factory and gracefully handles malformed packets. Monitor the official Pion project repository (https://github.com/pion/interceptor) for patch release 0.1.39 details and apply within standard patch management cycles.
Erugo file-sharing platform up to version 0.2.14 has a CVSS 10.0 path traversal allowing authenticated users to read any
WAGO PFC200 G2 PLC (firmware affected) allows privilege escalation through cookie manipulation. Users can modify cookie
Authentication bypass in WeGIA charitable institution management system before 3.6.5. The adicionar_tipo_docs_atendido.p
CGI path splitting vulnerability in FrankenPHP before 1.11.2 — Unicode characters bypass path validation during CGI proc
Free5gc NRF 1.4.0 has an authorization bypass in access token generation that allows authenticated users to request toke
Algo 8028 Control Panel version 3.3.3 contains a command injection vulnerability in the fm-data.lua endpoint that allows
Stack-based buffer overflow in Tenda F453 firmware 1.0.0.3 allows remote attackers with valid credentials to achieve una
Stack-based buffer overflow in Tenda F453 firmware version 1.0.0.3 allows authenticated remote attackers to achieve comp
DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vu
Mobilego versions up to 8.5.0 is affected by incorrect permission assignment for critical resource (CVSS 7.8).
Mikogo 5.2.2.150317 contains an unquoted service path vulnerability in the Mikogo-Service Windows service configuration.
Remote attackers can inject arbitrary command-line arguments into bird-lg-go's traceroute module through unsanitized use
Same technique Denial Of Service
View allVendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | needs-triage | - |
| upstream | not-affected | debian: Vulnerable code not present |
| oracular | ignored | end of life, was needs-triage |
| questing | needs-triage | - |
| plucky | ignored | end of life, was needs-triage |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bookworm, trixie | fixed | 0.1.12-1 | - |
| forky, sid | fixed | 0.1.42-1 | - |
| (unstable) | not-affected | - | - |
SUSE
Severity: High| Product | Status |
|---|---|
| Container suse/sl-micro/6.0/baremetal-os-container:latest | Affected |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17569
GHSA-f26w-gh5m-qq77