VYPR
Unrated severityNVD Advisory· Published Aug 28, 2025· Updated Aug 28, 2025

Asterisk can crash from a specifically malformed Authorization header in an incoming SIP request

CVE-2025-57767

Description

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.15.2, 21.10.2, and 22.5.2, if a SIP request is received with an Authorization header that contains a realm that wasn't in a previous 401 response's WWW-Authenticate header, or an Authorization header with an incorrect realm was received without a previous 401 response being sent, the get_authorization_header() function in res_pjsip_authenticator_digest will return a NULL. This wasn't being checked before attempting to get the digest algorithm from the header which causes a SEGV. This issue has been patched in versions 20.15.2, 21.10.2, and 22.5.2. There are no workarounds.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Asterisk/Asteriskllm-fuzzy2 versions
    <20.15.2, <21.10.2, <22.5.2+ 1 more
    • (no CPE)range: <20.15.2, <21.10.2, <22.5.2
    • (no CPE)range: < 22.5.2

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.