CVE-2025-68274: SIPGO is Vulnerable to Response DoS via Nil Pointer Dereference

December 16, 2025 (updated December 20, 2025)

A nil pointer dereference vulnerability was discovered in the SIPGO library’s NewResponseFromRequest function that affects all normal SIP operations. The vulnerability allows remote attackers to crash any SIP application by sending a single malformed SIP request without a To header.

The vulnerability occurs when SIP message parsing succeeds for a request missing the To header, but the response creation code assumes the To header exists without proper nil checks. This affects routine operations like call setup, authentication, and message handling - not just error cases.

Note: This vulnerability affects all SIP applications using the sipgo library, not just specific configurations or edge cases, as long as they make use of the NewResponseFromRequest function.

References

Code Behaviors & Features

Detect and mitigate CVE-2025-68274 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →