CVE-2025-49140

Name of the Vulnerable Software and Affected Versions Pion Interceptor versions v0.1.36 through v0.1.38

Description Pion Interceptor is a framework for building RTP/RTCP communication software. The issue is caused by a bug in the RTP packet factory, which can be exploited by crafted RTP packets to trigger a panic with Pion based SFU. This only affects users that use pion/interceptor. The bug can be exploited by sending crafted RTP packets.

Recommendations For versions v0.1.36 through v0.1.38, upgrade to v0.1.39 or later, which includes a fix that validates padLen > 0 && padLen <= payloadLength and returns an error on overflow, avoiding panic. If upgrading is not possible, apply the patch from the pull request manually or drop packets whose P-bit is set but whose padLen is zero or larger than the remaining payload.