CVE-2025-49140

| EUVD-2025-17569 HIGH
2025-06-09 [email protected] GHSA-f26w-gh5m-qq77
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17569
CVE Published
Jun 09, 2025 - 22:15 nvd
HIGH 7.5

Tags

Denial Of Service Golang Suse

Description

Pion Interceptor is a framework for building RTP/RTCP communication software. Versions v0.1.36 through v0.1.38 contain a bug in a RTP packet factory that can be exploited to trigger a panic with Pion based SFU via crafted RTP packets, This only affect users that use pion/interceptor. Users should upgrade to v0.1.39 or later, which validates that: `padLen > 0 && padLen <= payloadLength` and return error on overflow, avoiding panic. If upgrading is not possible, apply the patch from the pull request manually or drop packets whose P-bit is set but whose padLen is zero or larger than the remaining payload.

Analysis

Pion Interceptor versions v0.1.36 through v0.1.38 contain a denial-of-service vulnerability in the RTP packet factory that allows unauthenticated remote attackers to trigger application panics via crafted RTP packets with malformed padding fields. This affects all applications using the Pion interceptor library for RTP/RTCP communication, with no authentication required and low attack complexity. The vulnerability has a CVSS score of 7.5 (High) with availability impact only; no evidence of active exploitation or public POC availability is documented.

Technical Context

Pion Interceptor is a Go-based framework for implementing Real-Time Protocol (RTP) and Real-Time Control Protocol (RTCP) communication software, commonly used in selective forwarding units (SFUs) and WebRTC applications. The vulnerability exists in the RTP packet factory component that processes inbound RTP packets. The root cause is insufficient input validation of the RTP padding field: when the P-bit (padding bit) is set in the RTP header, the implementation fails to validate that `padLen > 0 && padLen <= payloadLength` before processing, leading to out-of-bounds access or integer overflow conditions classified under CWE-770 (Allocation of Resources Without Limits or Throttling). This allows attackers to craft malicious RTP packets where the padding length either exceeds remaining payload or is zero, causing the packet factory to panic rather than gracefully reject the packet. Affected products include pion/interceptor library (CPE: purl:github/pion/interceptor) in versions v0.1.36, v0.1.37, and v0.1.38.

Affected Products

Pion Interceptor library (GitHub: pion/interceptor) - Versions v0.1.36, v0.1.37, v0.1.38. Affected CPE: purl:github/pion/[email protected], purl:github/pion/[email protected], purl:github/pion/[email protected]. All downstream applications implementing RTP/RTCP communication using these specific versions of Pion Interceptor are affected, including but not limited to WebRTC SFU implementations, RTP media servers, and RTCP-based monitoring systems. The vulnerability does not affect users of Pion Interceptor v0.1.39 or later, or users who do not utilize the Pion Interceptor library. No vendor advisory links are provided in the description; users should reference the official Pion project repository on GitHub.

Remediation

Immediate: Upgrade Pion Interceptor to v0.1.39 or later, which includes input validation that checks `padLen > 0 && padLen <= payloadLength` and returns an error on overflow instead of panicking. This is the recommended fix. Alternatively, if immediate upgrade is not feasible: (1) Manual patch application - apply the validation logic from the referenced pull request to local codebase; (2) Network-level mitigation - configure packet filtering or firewall rules to drop RTP packets with P-bit set (0x20 in the first byte of the RTP header) as a temporary workaround, though this may impact legitimate RTP padding use; (3) Application-level workaround - implement a wrapper that catches panics from the RTP packet factory and gracefully handles malformed packets. Monitor the official Pion project repository (https://github.com/pion/interceptor) for patch release 0.1.39 details and apply within standard patch management cycles.

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +38
POC: 0

Vendor Status

Ubuntu

Priority: Medium
golang-github-pion-interceptor
Release Status Version
jammy DNE -
noble needs-triage -
upstream not-affected debian: Vulnerable code not present
oracular ignored end of life, was needs-triage
questing needs-triage -
plucky ignored end of life, was needs-triage

Debian

golang-github-pion-interceptor
Release Status Fixed Version Urgency
bookworm, trixie fixed 0.1.12-1 -
forky, sid fixed 0.1.42-1 -
(unstable) not-affected - -

Share

CVE-2025-49140 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy