CVE-2025-57767

Description

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.15.2, 21.10.2, and 22.5.2, if a SIP request is received with an Authorization header that contains a realm that wasn't in a previous 401 response's WWW-Authenticate header, or an Authorization header with an incorrect realm was received without a previous 401 response being sent, the get_authorization_header() function in res_pjsip_authenticator_digest will return a NULL. This wasn't being checked before attempting to get the digest algorithm from the header which causes a SEGV. This issue has been patched in versions 20.15.2, 21.10.2, and 22.5.2. There are no workarounds.

PUBLISHED Reserved 2025-08-19 | Published 2025-08-28 | Updated 2025-08-28 | Assigner GitHub_M

Problem types

CWE-253: Incorrect Check of Function Return Value

Product status

References

github.com/...terisk/security/advisories/GHSA-64qc-9x89-rx5j

github.com/asterisk/asterisk/pull/1407

github.com/...ommit/02993717b08f899d4aca9888062f35dfb198584f

cve.org (CVE-2025-57767)

nvd.nist.gov (CVE-2025-57767)

Download JSON