The vulnerability CVE-2025-68274 is a NULL pointer dereference in the emiago sipgo library, a Go language library used for developing SIP (Session Initiation Protocol) services. The flaw resides in the NewResponseFromRequest function, which processes SIP requests and generates corresponding responses. Specifically, when a SIP request is received without a To header—a mandatory field in SIP messages—the parsing succeeds but the response creation code assumes the To header is present without performing a nil check. This leads to a NULL pointer dereference when the code attempts to access the missing header, causing the application to crash. Since SIPGO is used for fundamental SIP operations including call setup, authentication, and message handling, this vulnerability can be exploited remotely by sending a single malformed SIP request to crash any SIP application using the affected versions (>= v0.3.0 and < v1.0.0-alpha-1). No authentication or user interaction is required, and the attack surface is broad as it affects all normal SIP operations, not just edge cases. The vulnerability has a CVSS 4.0 score of 8.7 (high severity), reflecting its ease of exploitation and significant impact on availability. Although no known exploits are currently reported in the wild, the potential for denial of service attacks on SIP infrastructure is substantial. The issue is fixed in version 1.0.0-alpha-1 of sipgo. Organizations using this library in their SIP services must upgrade or implement robust input validation to mitigate the risk.

For European organizations, the impact of this vulnerability is primarily a denial of service (DoS) condition affecting SIP-based communication services. SIP is widely used in VoIP telephony, video conferencing, and unified communications, which are critical for business operations and emergency services. A successful exploit can crash SIP servers or applications, leading to service outages, disrupted communications, and potential loss of business continuity. This can affect enterprises, telecom providers, and public sector organizations relying on SIPGO-based SIP services. The disruption could also impact customer trust and regulatory compliance, especially under GDPR where service availability and data integrity are important. Additionally, attackers could leverage this vulnerability to create persistent outages or as part of larger multi-vector attacks targeting telecom infrastructure. The lack of authentication and user interaction requirements increases the risk of automated exploitation attempts. Given the centrality of SIP in modern communication, the vulnerability poses a significant operational risk to European organizations.

1. Upgrade all SIPGO library instances to version 1.0.0-alpha-1 or later, where the NULL pointer dereference issue is patched. 2. Implement strict input validation on SIP requests at the network perimeter or SIP proxy level to reject malformed SIP messages lacking mandatory headers such as the To header. 3. Deploy SIP-aware intrusion detection and prevention systems (IDS/IPS) that can detect and block anomalous SIP traffic patterns indicative of malformed requests. 4. Conduct regular code audits and fuzz testing on SIP handling components to identify and remediate similar vulnerabilities proactively. 5. Establish robust monitoring and alerting for SIP service crashes or abnormal restarts to enable rapid incident response. 6. Consider deploying SIP redundancy and failover mechanisms to maintain service availability during potential attack attempts. 7. Engage with vendors and open-source communities to stay informed about updates and patches related to SIPGO and related SIP libraries. 8. For organizations unable to upgrade immediately, implement application-level wrappers or middleware that perform header validation before passing requests to SIPGO functions.