CVE-2025-49140
Description
Pion Interceptor is a framework for building RTP/RTCP communication software. Versions v0.1.36 through v0.1.38 contain a bug in a RTP packet factory that can be exploited to trigger a panic with Pion based SFU via crafted RTP packets, This only affect users that use pion/interceptor. Users should upgrade to v0.1.39 or later, which validates that: padLen > 0 && padLen <= payloadLength and return error on overflow, avoiding panic. If upgrading is not possible, apply the patch from the pull request manually or drop packets whose P-bit is set but whose padLen is zero or larger than the remaining payload.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/pion/interceptorGo | >= 0.1.36, < 0.1.39 | 0.1.39 |
Affected products
19- Range: v0.1.36, v0.1.37, v0.1.38
- osv-coords18 versionspkg:apk/chainguard/go-ipfs-fipspkg:apk/chainguard/ipfspkg:apk/chainguard/ipfs-cluster-fipspkg:apk/chainguard/ipfs-cluster-fips-compatpkg:apk/chainguard/ipfs-cluster-fips-oci-entrypointpkg:apk/chainguard/k3spkg:apk/chainguard/k3s-embeddedpkg:apk/chainguard/k3s-imagespkg:apk/chainguard/k3s-multicallpkg:apk/chainguard/k3s-staticpkg:apk/wolfi/ipfspkg:apk/wolfi/k3spkg:apk/wolfi/k3s-embeddedpkg:apk/wolfi/k3s-imagespkg:apk/wolfi/k3s-multicallpkg:apk/wolfi/k3s-staticpkg:golang/github.com/pion/interceptorpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 0.35.0-r1+ 17 more
- (no CPE)range: < 0.35.0-r1
- (no CPE)range: < 0.35.0-r2
- (no CPE)range: < 1.1.4-r2
- (no CPE)range: < 1.1.4-r2
- (no CPE)range: < 1.1.4-r2
- (no CPE)range: < 1.33.1.1-r1
- (no CPE)range: < 1.33.1.1-r1
- (no CPE)range: < 1.33.1.1-r1
- (no CPE)range: < 1.33.1.1-r1
- (no CPE)range: < 1.33.1.1-r1
- (no CPE)range: < 0.35.0-r2
- (no CPE)range: < 1.33.1.1-r1
- (no CPE)range: < 1.33.1.1-r1
- (no CPE)range: < 1.33.1.1-r1
- (no CPE)range: < 1.33.1.1-r1
- (no CPE)range: < 1.33.1.1-r1
- (no CPE)range: >= 0.1.36, < 0.1.39
- (no CPE)range: < 0.0.20250612T141001-1.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-f26w-gh5m-qq77ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-49140ghsaADVISORY
- github.com/pion/interceptor/commit/fa5b35ea867389cec33a9c82fffbd459ca8958e5nvdWEB
- github.com/pion/interceptor/pull/338nvdWEB
- github.com/pion/interceptor/security/advisories/GHSA-f26w-gh5m-qq77nvdWEB
- github.com/pion/webrtc/issues/3148nvdWEB
News mentions
0No linked articles in our index yet.