Vulnerability Description
igmpproxy 0.4 before commit 2b30c36 allows remote attackers to cause a denial of service (application crash) via a crafted IGMPv3 membership report packet with a malicious source address. Due to insufficient validation in the `recv_igmp()` function in src/igmpproxy.c, an invalid group record type can trigger a NULL pointer dereference when logging the address using `inet_fmtsrc()`. This vulnerability can be exploited by sending malformed multicast traffic to a host running igmpproxy, leading to a crash. igmpproxy is used in various embedded networking environments and consumer-grade IoT devices (such as home routers and media gateways) to handle multicast traffic for IPTV and other streaming services. Affected devices that rely on unpatched versions of igmpproxy may be vulnerable to remote denial-of-service attacks across a LAN .
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pali | Igmpproxy | 0.4 |
Related Weaknesses (CWE)
References
- https://gist.github.com/miora-sora/dac1612d16c45c2aedb8605478adc28fThird Party Advisory
- https://github.com/pali/igmpproxy/issues/97ExploitPatchIssue Tracking
- https://github.com/younix/igmpproxy/commit/2b30c36e6ab5b21defb76ec6458ab76879844Patch
- https://github.com/pali/igmpproxy/issues/97ExploitPatchIssue Tracking
FAQ
What is CVE-2025-50681?
CVE-2025-50681 is a vulnerability with a CVSS score of 7.5 (HIGH). igmpproxy 0.4 before commit 2b30c36 allows remote attackers to cause a denial of service (application crash) via a crafted IGMPv3 membership report packet with a malicious source address. Due to insuf...
How severe is CVE-2025-50681?
CVE-2025-50681 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-50681?
Check the references section above for vendor advisories and patch information. Affected products include: Pali Igmpproxy.