VYPR
High severity7.5OSV Advisory· Published Jun 9, 2025· Updated Apr 15, 2026

CVE-2025-49140

CVE-2025-49140

Description

Pion Interceptor is a framework for building RTP/RTCP communication software. Versions v0.1.36 through v0.1.38 contain a bug in a RTP packet factory that can be exploited to trigger a panic with Pion based SFU via crafted RTP packets, This only affect users that use pion/interceptor. Users should upgrade to v0.1.39 or later, which validates that: padLen > 0 && padLen <= payloadLength and return error on overflow, avoiding panic. If upgrading is not possible, apply the patch from the pull request manually or drop packets whose P-bit is set but whose padLen is zero or larger than the remaining payload.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/pion/interceptorGo
>= 0.1.36, < 0.1.390.1.39

Affected products

19

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.