While working on the lotus project, we discovered a critical vulnerability in the Go package Pion Interceptor(this dependency used by lotus), tracked as CVE-2025-49140. This vulnerability affects versions v0.1.36 through v0.1.38 and allows an attacker to remotely crash applications using Pion-based SFU (Selective Forwarding Unit) implementations.

CVE Link
CVE Report