Pexip, a leading provider of self-hosted video conferencing platforms, has released a security bulletin detailing critical vulnerabilities in its Infinity platform.
Critical Heap-Based Buffer Overflow
A critical vulnerability, tracked as CVE-2024-12084, has been discovered in the rsync daemon used by Pexip Infinity. This flaw is described as a βheap-based buffer overflow flawβ and is attributed to βimproper handling of attacker-controlled checksum lengths (s2length) in the code.β The vulnerability could allow an attacker to write out of bounds in the sum2 buffer, potentially leading to severe consequences.
The bulletin assigns a CVSS 3.1 base score of 9.8 to this vulnerability, indicating its critical severity. However, it also notes that βexploitation of this vulnerability requires access to the operating system on an Infinity node as the rsync daemon is not exposed to the network outside the Infinity deployment.β This reduces the risk to Infinity deployments from Critical to High.
Denial-of-Service Vulnerabilities
The security bulletin highlights two high-severity vulnerabilities related to insufficient input validation in the signaling implementation of Pexip Infinity. These vulnerabilities, tracked as CVE-2025-32095 and CVE-2025-30080, could allow a remote attacker to trigger a software abort, leading to a denial of service.
According to the bulletin, βa crafted signaling message allows a remote attacker to trigger a software abort.β While both vulnerabilities share a CVSS 3.1 base score of 7.5, they affect different versions of Pexip Infinity. CVE-2025-32095 impacts all versions prior to 37.0, while CVE-2025-30080 affects versions 29-36.2.
Mitigation and Resolution
Pexipβs security bulletin provides clear guidance on how to address these vulnerabilities. The recommended resolution for these flaws is to upgrade to Pexip Infinity v37.0. Additionally, Pexip advises users to βEnsure only trusted users have operating system access to the Infinity deploymentβ as a mitigation measure.