PT-2025-35098 · Asterisk +1 · Asterisk +1
Pc-M
·
Published
2025-08-28
·
Updated
2025-08-28
·
CVE-2025-57767
7.5
High
| Base vector | Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions:
Asterisk versions prior to 20.15.2
Asterisk versions prior to 21.10.2
Asterisk versions prior to 22.5.2
Description:
Asterisk is an open source private branch exchange and telephony toolkit. If a Session Initiation Protocol (SIP) request is received with an Authorization header containing a realm not present in a previous 401 response’s WWW-Authenticate header, or an incorrect realm is received without a prior 401 response, the `get authorization header()` function in `res pjsip authenticator digest` returns a NULL value. This lack of validation before attempting to retrieve the digest algorithm from the header results in a segmentation fault (SEGV).
Recommendations:
Update Asterisk to version 20.15.2 or later.
Update Asterisk to version 21.10.2 or later.
Update Asterisk to version 22.5.2 or later.
Fix
Weakness Enumeration
Related Identifiers
Affected Products
References · 11
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57767 · Security Note
- https://osv.dev/vulnerability/CVE-2025-57767 · Vendor Advisory
- https://security-tracker.debian.org/tracker/CVE-2025-57767 · Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-57767 · Security Note
- https://security-tracker.debian.org/tracker/source-package/asterisk · Vendor Advisory
- https://github.com/asterisk/asterisk/security/advisories/GHSA-64qc-9x89-rx5j⭐ 2733 🔗 1099 · Note
- https://github.com/asterisk/asterisk/commit/02993717b08f899d4aca9888062f35dfb198584f⭐ 2733 🔗 1099 · Note
- https://github.com/asterisk/asterisk/pull/1407⭐ 2733 🔗 1099 · Note
- https://twitter.com/CVEnew/status/1961101308062285969 · Twitter Post
- https://packages.debian.org/src:asterisk · Note
- https://t.me/CVEtracker/31136 · Telegram Post