Hello, Thank you for contacting me. I did not know that there some reported vulnerability as nobody contacted me before you.
I will prepare update of debian package with the fix. On Saturday 20 December 2025 21:11:54 Salvatore Bonaccorso wrote: > Source: igmpproxy > Version: 0.3-1 > Severity: important > Tags: security upstream > Forwarded: https://github.com/pali/igmpproxy/issues/97 > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > > Hi, > > The following vulnerability was published for igmpproxy. > > CVE-2025-50681[0]: > | igmpproxy 0.4 before commit 2b30c36 allows remote attackers to cause > | a denial of service (application crash) via a crafted IGMPv3 > | membership report packet with a malicious source address. Due to > | insufficient validation in the `recv_igmp()` function in > | src/igmpproxy.c, an invalid group record type can trigger a NULL > | pointer dereference when logging the address using `inet_fmtsrc()`. > | This vulnerability can be exploited by sending malformed multicast > | traffic to a host running igmpproxy, leading to a crash. igmpproxy > | is used in various embedded networking environments and consumer- > | grade IoT devices (such as home routers and media gateways) to > | handle multicast traffic for IPTV and other streaming services. > | Affected devices that rely on unpatched versions of igmpproxy may be > | vulnerable to remote denial-of-service attacks across a LAN . > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2025-50681 > https://www.cve.org/CVERecord?id=CVE-2025-50681 > [1] https://github.com/pali/igmpproxy/issues/97 > [2] > https://github.com/younix/igmpproxy/commit/2b30c36e6ab5b21defb76ec6458ab7687984484c > > Regards, > Salvatore
