CVE-2025-12207

Kamailio Grammar Rule cfg.y yyerror_at null pointer dereference

CVSS 4.8 MEDIUMEPSS 0.2%CWE-404 CWE-476

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 4.8EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

27 oct 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

A vulnerability has been found in Kamailio 5.5. This affects the function yyerror_at of the file src/core/cfg.y of the component Grammar Rule Handler. Such manipulation leads to null pointer dereference. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The actual existence of this vulnerability is currently in question. This attack requires manipulating config files which might not be a realistic scenario in many cases. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

Productos afectados

n/a · Kamailio

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://shimo.im/docs/vVqRMVMlrycMO63y https://shimo.im/docs/vVqRMVMlrycMO63y/https://vuldb.com/?ctiid.329877 https://vuldb.com/?id.329877 https://vuldb.com/?submit.673241 https://www.openwall.com/lists/oss-security/2025/10/27/8 https://www.openwall.com/lists/oss-security/2025/11/02/3 http://www.openwall.com/lists/oss-security/2025/10/27/12 http://www.openwall.com/lists/oss-security/2025/10/27/8