SIPGO library has response DoS vulnerability via nil pointer dereference
Description
SIPGO is a library for writing SIP services in the GO language. Starting in version 0.3.0 and prior to version 1.0.0-alpha-1, a nil pointer dereference vulnerability is in the SIPGO library's NewResponseFromRequest function that affects all normal SIP operations. The vulnerability allows remote attackers to crash any SIP application by sending a single malformed SIP request without a To header. The vulnerability occurs when SIP message parsing succeeds for a request missing the To header, but the response creation code assumes the To header exists without proper nil checks. This affects routine operations like call setup, authentication, and message handling - not just error cases. This vulnerability affects all SIP applications using the sipgo library, not just specific configurations or edge cases, as long as they make use of the NewResponseFromRequest function. Version 1.0.0-alpha-1 contains a patch for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing nil-check in sipgo's NewResponseFromRequest function lets unpatched before v1.0.0-alpha-1 allows remote attackers to crash SIP applications via a malformed request lacking a To header.
Vulnerability
Overview
A nil pointer dereference vulnerability exists in the SIPGO library (versions ≥0.3.0 and <1.0.0-alpha-1) within the NewResponseFromRequest function. The root cause is an unchecked assumption that the To header is always present in the parsed SIP request, leading to a panic when res.To().Params is accessed on a nil receiver [2][3]. The flaw was introduced when the library's response creation logic copied headers from the request but failed to verify the existence of the To header before attempting to manipulate its parameters add a tag parameter.
Exploitation
An attacker can trigger the vulnerability by sending a single malformed SIP request that lacks a To header. No authentication or special network access is required; the attack is remote and can be performed over any SIP message processed by the library. The parsing step tolerates the missing header, but the subsequent response creation in NewResponseFromRequest dereferences a nil pointer, causing a segmentation fault (SIGSEGV) [1][3].
Impact
Successful exploitation results in an immediate crash (denial of service) of any SIP application that uses the vulnerable function, including call setup, registration, and authentication flows. The advisory notes that this affects all normal SIP operations, not just error handling paths [2][3].
Mitigation
The issue is patched in version 1.0.0-alpha-1 by adding a nil check for the To header field before accessing its parameters [4]. Users of the library should upgrade immediately as there is no workaround; unpatched versions expose their SIP services to remote DoS attacks [2][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/emiago/sipgoGo | >= 0.3.0, < 1.0.0-alpha-1 | 1.0.0-alpha-1 |
Affected products
1Patches
1dc9669364a15fix: DoS issue when To header is not present
1 file changed · +4 −3
sip/response.go+4 −3 modified@@ -239,9 +239,10 @@ func NewResponseFromRequest( case 100: CopyHeaders("Timestamp", req, res) default: - if _, ok := res.To().Params["tag"]; !ok { - uuid, _ := uuid.NewRandom() - res.to.Params["tag"] = uuid.String() + if h := res.To(); h != nil { + if _, ok := h.Params["tag"]; !ok { + h.Params["tag"] = uuid.NewString() + } } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-c623-f998-8hhvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-68274ghsaADVISORY
- github.com/emiago/sipgo/commit/dc9669364a154ec6d134e542f6a63c31b5afe6e8ghsax_refsource_MISCWEB
- github.com/emiago/sipgo/security/advisories/GHSA-c623-f998-8hhvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.