Vulnerability Description
A vulnerability was detected in Kamailio 5.5. The affected element is the function sr_push_yy_state of the file src/core/cfg.lex of the component Configuration File Handler. The manipulation results in use after free. The attack must be initiated from a local position. The exploit is now public and may be used. The real existence of this vulnerability is still doubted at the moment. This attack requires manipulating config files which might not be a realistic scenario in many cases. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kamailio | Kamailio | 5.5.0 |
Related Weaknesses (CWE)
References
- https://shimo.im/docs/ZzkLMVMLOzIRlpAQ/ExploitThird Party Advisory
- https://vuldb.com/?ctiid.329875Permissions RequiredVDB Entry
- https://vuldb.com/?id.329875Third Party AdvisoryVDB Entry
- https://vuldb.com/?submit.673225Third Party AdvisoryVDB Entry
- https://www.openwall.com/lists/oss-security/2025/11/02/3
- http://www.openwall.com/lists/oss-security/2025/10/27/12
- http://www.openwall.com/lists/oss-security/2025/10/27/8
- https://www.openwall.com/lists/oss-security/2025/10/27/8Issue TrackingMailing List
FAQ
What is CVE-2025-12205?
CVE-2025-12205 is a vulnerability with a CVSS score of 5.3 (MEDIUM). A vulnerability was detected in Kamailio 5.5. The affected element is the function sr_push_yy_state of the file src/core/cfg.lex of the component Configuration File Handler. The manipulation results i...
How severe is CVE-2025-12205?
CVE-2025-12205 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-12205?
Check the references section above for vendor advisories and patch information. Affected products include: Kamailio Kamailio.