CVE-2025-49140: Pion Interceptor's improper RTP padding handling allows remote crash for SFU users (DoS)
(updated )
Pion Interceptor versions v0.1.36 through v0.1.38 contain a bug in a RTP packet factory that can be exploited to trigger a panic with Pion based SFU via crafted RTP packets, This only affect users that use pion/interceptor.
References
- github.com/advisories/GHSA-f26w-gh5m-qq77
- github.com/pion/interceptor
- github.com/pion/interceptor/commit/fa5b35ea867389cec33a9c82fffbd459ca8958e5
- github.com/pion/interceptor/pull/338
- github.com/pion/interceptor/security/advisories/GHSA-f26w-gh5m-qq77
- github.com/pion/webrtc/issues/3148
- nvd.nist.gov/vuln/detail/CVE-2025-49140
Code Behaviors & Features
Detect and mitigate CVE-2025-49140 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →