Intel

AIKIDO-2026-862812

mediasoup is vulnerable to Authentication Bypass

Authentication BypassCVE-2026-55663 Published 2 days ago

56

Medium Risk

This Affects:

JSmediasoup
3.20.0 - 3.20.5
Fixed in 3.20.6
Are you affected? Scan for Free

TL;DR

mediasoup's built-in SCTP stack authenticates SCTP State Cookies using only hardcoded magic byte sequences (msworker and 0xAD81) instead of a per-instance secret and HMAC, violating RFC 9260. On a PlainTransport or PipeTransport with SCTP enabled and no SRTP/DTLS, an on-path attacker can craft a forged COOKIE-ECHO chunk that passes validation, establish an unauthorized SCTP association without the 4-way handshake, and inject DataChannel messages as a trusted peer. The received-packet CRC32c checksum was also never verified, so forged packets with any checksum were accepted. The fix adds a per-association random secret with an HMAC-SHA1 and freshness timestamp in the State Cookie gated by sctpOptions.requireAuthenticatedCookie, and validates the CRC32c checksum of received packets.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and use PlainTransport or PipeTransport with SCTP enabled without SRTP/DTLS protection.

Background info

mediasoup is vulnerable to Authentication Bypass in versions 3.20.0 - 3.20.5.

How to fix this

Upgrade the mediasoup library to the patch version.