CVE-2025-54995

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-54995
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-54995.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-54995
Aliases
  • GHSA-557q-795j-wfx2
Downstream
Published
2025-08-28T15:08:04.468Z
Modified
2025-12-02T20:13:18.142672Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Asterisk remotely exploitable leak of RTP UDP ports and internal resources
Details

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 18.26.4 and 18.9-cert17, RTP UDP ports and internal resources can leak due to a lack of session termination. This could result in leaks and resource exhaustion. This issue has been patched in versions 18.26.4 and 18.9-cert17.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1286",
        "CWE-400"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54995.json"
}
References

Affected packages

Git / github.com/asterisk/asterisk

Affected ranges

Type
GIT
Repo
https://github.com/asterisk/asterisk
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
0b2345dff6408f33acbd516faf11e7820d1c1fae

Affected versions

18.*

18.9.0
18.9.0-rc1

certified-18.*

certified-18.9-cert10
certified-18.9-cert11
certified-18.9-cert12
certified-18.9-cert13
certified-18.9-cert14
certified-18.9-cert15
certified-18.9-cert16
certified-18.9-cert4
certified-18.9-cert5
certified-18.9-cert6
certified-18.9-cert7
certified-18.9-cert8
certified-18.9-cert8-rc1
certified-18.9-cert8-rc2
certified-18.9-cert9

certified/18.*

certified/18.9-cert1
certified/18.9-cert1-rc1
certified/18.9-cert2
certified/18.9-cert3
certified/18.9-cert4