VYPR
High severityOSV Advisory· Published Dec 16, 2025· Updated Dec 17, 2025

SIPGO library has response DoS vulnerability via nil pointer dereference

CVE-2025-68274

Description

SIPGO is a library for writing SIP services in the GO language. Starting in version 0.3.0 and prior to version 1.0.0-alpha-1, a nil pointer dereference vulnerability is in the SIPGO library's NewResponseFromRequest function that affects all normal SIP operations. The vulnerability allows remote attackers to crash any SIP application by sending a single malformed SIP request without a To header. The vulnerability occurs when SIP message parsing succeeds for a request missing the To header, but the response creation code assumes the To header exists without proper nil checks. This affects routine operations like call setup, authentication, and message handling - not just error cases. This vulnerability affects all SIP applications using the sipgo library, not just specific configurations or edge cases, as long as they make use of the NewResponseFromRequest function. Version 1.0.0-alpha-1 contains a patch for the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/emiago/sipgoGo
>= 0.3.0, < 1.0.0-alpha-11.0.0-alpha-1

Affected products

3

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.

CVE-2025-68274 · high · VYPR