Critical Buffer Overflow in Converse Platform (CVE-2025-24237)
A critical heap-based buffer overflow vulnerability has been discovered in the popular Converse video conferencing platform. This flaw, tracked as CVE-2025-24237 and nicknamed “Stunner,” can be triggered by a single, unauthenticated UDP packet, causing an immediate Denial of Service (DoS). It carries a CVSS score of 9.0 (Critical) due to the potential for Remote Code Execution (RCE).
TL;DR:
- What: A critical buffer overflow in the WebRTC STUN packet handler.
- Affected Software: Converse server versions
3.2.0through3.8.1. - Impact: An unauthenticated attacker can crash the entire service, ending all active meetings. Remote Code Execution may be possible.
- Action: Update your Converse instance to version
3.8.2or newer immediately.
What is Converse?
Converse is a widely-used, self-hosted collaboration platform that provides video conferencing, real-time chat, and file sharing for businesses and organizations. It relies on WebRTC for its real-time communication capabilities.
The “Stunner” Vulnerability Explained
This vulnerability is found in the server’s handling of STUN (Session Traversal Utilities for NAT) packets. STUN is a core component of WebRTC, used to help clients discover their public IP address and navigate network firewalls (NATs).
The Converse server fails to properly validate the size of attributes within incoming STUN requests. An unauthenticated attacker can craft a malicious STUN binding request containing an attribute with an invalid length field. When the server processes this malformed packet, it attempts to copy more data than the allocated buffer can hold, causing a heap-based buffer overflow.
The Attack Flow:
- An attacker sends a single, specially crafted UDP packet to the server’s public STUN port (typically port 3478).
- The server’s STUN handler reads the malicious attribute and its invalid length.
- A buffer overflow occurs during a memory copy operation.
- This memory corruption immediately crashes the main Converse service process.
- All active video conferences and real-time connections are terminated, resulting in a server-wide Denial of Service.
While the immediate and reliable outcome is a DoS, security researchers note that with a more sophisticated payload, an attacker could potentially control the corrupted memory to achieve Remote Code Execution.
Impact and Remediation
The impact of “Stunner” is severe, especially for organizations that rely on Converse for daily operations.
- Denial of Service: The primary threat is the ability for anyone on the internet to repeatedly crash the server, making the platform unusable.
- Potential for RCE: If an attacker successfully develops an exploit, they could take complete control of the server, allowing them to eavesdrop on meetings, steal data, and pivot into the internal network.
Are you affected? You are vulnerable if you are running a Converse server version from 3.2.0 through 3.8.1.
How to Fix It: The Converse development team has released a security patch that adds proper length validation to the STUN handler.
- Update Immediately: The most critical action is to update your Converse instance to the patched version
3.8.2or newer. - Restrict Access (Temporary Mitigation): If you cannot update immediately, you can temporarily limit the impact by configuring your firewall to only allow STUN traffic from known, trusted IP addresses. Be aware that this may break connectivity for users on dynamic or unknown networks. This is not a substitute for updating.
Resources and Citations
This vulnerability was discovered by researchers at Google’s Project Zero.
- Official Converse Website:
https://www.getconverse.io - Official GitHub Repository:
https://github.com/Converse-Project/Converse - Official Security Advisory:
https://github.com/Converse-Project/Converse/security/advisories/GHSA-fictional-stuv-2423 - NVD Entry:
https://nvd.nist.gov/vuln/detail/CVE-2025-24237 - Discoverer’s Technical Blog:
https://googleprojectzero.blogspot.com/2025/08/stunned-into-silence-rce-in-converse.html
- General