High severity7.5NVD Advisory· Published Jun 9, 2025· Updated Apr 15, 2026

CVE-2025-49140

Description

Pion Interceptor is a framework for building RTP/RTCP communication software. Versions v0.1.36 through v0.1.38 contain a bug in a RTP packet factory that can be exploited to trigger a panic with Pion based SFU via crafted RTP packets, This only affect users that use pion/interceptor. Users should upgrade to v0.1.39 or later, which validates that: padLen > 0 && padLen <= payloadLength and return error on overflow, avoiding panic. If upgrading is not possible, apply the patch from the pull request manually or drop packets whose P-bit is set but whose padLen is zero or larger than the remaining payload.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/pion/interceptorGo	>= 0.1.36, < 0.1.39	0.1.39

Patches

fa5b35ea8673

Fix padding overflow with PacketFactory

https://github.com/pion/interceptorJoe TurkiJun 9, 2025via ghsa

commit

3 files changed · +55 −1

internal/rtpbuffer/errors.go+1 −0 modified

@@ -12,4 +12,5 @@ var (
 	errPacketReleased          = errors.New("could not retain packet, already released")
 	errFailedToCastHeaderPool  = errors.New("could not access header pool, failed cast")
 	errFailedToCastPayloadPool = errors.New("could not access payload pool, failed cast")
+	errPaddingOverflow         = errors.New("padding size exceeds payload size")
 )

internal/rtpbuffer/packet_factory.go+6 −1 modified

@@ -84,7 +84,7 @@ func (m *PacketFactoryCopy) NewPacket(
 		}
 	}
 
-	if rtxSsrc != 0 && rtxPayloadType != 0 {
+	if rtxSsrc != 0 && rtxPayloadType != 0 { //nolint:nestif
 		if payload == nil {
 			retainablePacket.buffer, ok = m.payloadPool.Get().(*[]byte)
 			if !ok {
@@ -105,6 +105,11 @@ func (m *PacketFactoryCopy) NewPacket(
 		if retainablePacket.header.Padding && retainablePacket.payload != nil && len(retainablePacket.payload) > 0 {
 			paddingLength := int(retainablePacket.payload[len(retainablePacket.payload)-1])
 			retainablePacket.header.Padding = false
+
+			if paddingLength > len(retainablePacket.payload) {
+				return nil, errPaddingOverflow
+			}
+
 			retainablePacket.payload = (*retainablePacket.buffer)[:len(retainablePacket.payload)-paddingLength]
 		}
 	}

internal/rtpbuffer/rtpbuffer_test.go+48 −0 modified

@@ -4,6 +4,7 @@
 package rtpbuffer
 
 import (
+	"bytes"
 	"testing"
 
 	"github.com/pion/rtp"
@@ -218,3 +219,50 @@ func TestRTPBuffer_Overridden_WithRTX_NILPayload(t *testing.T) {
 
 	require.Nil(t, sb.Get(1))
 }
+
+func TestRTPBuffer_Padding(t *testing.T) {
+	pm := NewPacketFactoryCopy()
+	sb, err := NewRTPBuffer(1)
+	require.NoError(t, err)
+	require.Equal(t, uint16(1), sb.size)
+
+	t.Run("valid padding is stripped", func(t *testing.T) {
+		origPayload := []byte{116, 101, 115, 116}
+		expected := []byte{0, 1, 116, 101, 115, 116}
+
+		padLen := 120
+		padded := make([]byte, 0)
+		padded = append(padded, origPayload...)
+		padded = append(padded, bytes.Repeat([]byte{0}, padLen-1)...)
+		padded = append(padded, byte(padLen))
+
+		pkt, err := pm.NewPacket(&rtp.Header{
+			SequenceNumber: 1,
+			Padding:        true,
+		}, padded, 1, 1)
+		require.NoError(t, err)
+
+		sb.Add(pkt)
+
+		retrieved := sb.Get(1)
+		require.NotNil(t, retrieved)
+		defer retrieved.Release()
+
+		require.False(t, retrieved.Header().Padding, "P-bit should be cleared after trimming")
+
+		actual := retrieved.Payload()
+		require.Equal(t, len(expected), len(actual), "payload length after trimming")
+		require.Equal(t, expected, actual, "payload content after trimming")
+	})
+
+	t.Run("overflow padding returns io.ErrShortBuffer", func(t *testing.T) {
+		overflow := []byte{0, 1, 200}
+
+		_, err := pm.NewPacket(&rtp.Header{
+			SequenceNumber: 2,
+			Padding:        true,
+		}, overflow, 1, 1)
+
+		require.ErrorIs(t, err, errPaddingOverflow, "factory should reject invalid padding")
+	})
+}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-f26w-gh5m-qq77ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-49140ghsaADVISORY
github.com/pion/interceptor/commit/fa5b35ea867389cec33a9c82fffbd459ca8958e5nvdWEB
github.com/pion/interceptor/pull/338nvdWEB
github.com/pion/interceptor/security/advisories/GHSA-f26w-gh5m-qq77nvdWEB
github.com/pion/webrtc/issues/3148nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000