--- title: OpenSIPS: Denial of service in presence.handle_publish() from unchecked Content-Type state date: 2026-05-21 url: /advisories/ES2026-01-opensips-presence-publish-content-type-dos.md --- - CVSS v4.0, Enable Security assessment - Vector: [link](https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N) - Other references: - [CVE-2026-45084](https://www.cve.org/CVERecord?id=CVE-2026-45084) - [GHSA-h3ww-hchh-x2g9](https://github.com/OpenSIPS/opensips/security/advisories/GHSA-h3ww-hchh-x2g9) - CWE-476: NULL Pointer Dereference - Fixed versions: OpenSIPS 3.6.6, OpenSIPS 4.0.0-rc1, and master at or after the May 2026 fix series - Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2026-01-opensips-presence-publish-content-type-dos/ - Tested vulnerable version: OpenSIPS 3.5.9 - Timeline: - Enable Security reproduced the issue: 2026-04-24 - UDP/TCP retest: 2026-04-30 - OpenSIPS advisory: 2026-05-21 - Enable Security advisory: 2026-05-21 ## Description OpenSIPS published `GHSA-h3ww-hchh-x2g9` for a configuration-dependent crash in `modules/presence/publish.c:handle_publish()`. The vulnerable path calls `get_content_type(msg)` while sphere checking is enabled, but can reach that call without safe `Content-Type` parser state. Enable Security reproduced the crash on OpenSIPS 3.5.9 with both valid and missing `Content-Type` PUBLISH requests over UDP and TCP. ## Technical details The vulnerable route is in the OpenSIPS `presence` module when `handle_publish()` processes a body-bearing `Event: presence` PUBLISH and sphere checking is enabled. The affected code path checks whether the request body is PIDF/XML by using `get_content_type(msg)`. In the tested OpenSIPS path, a valid `Content-Type: application/pidf+xml` header was present but not parsed into `msg->content_type->parsed` before this dereference. A missing `Content-Type` header also caused a crash because `msg->content_type` was NULL. This means both of the following cases were unsafe in testing: - valid `Content-Type: application/pidf+xml` - missing `Content-Type` The crash occurs before the event-specific `presence_xml` handler can validate the body. ## Configuration requirements The verified crash path requires: - `presence` and `presence_xml` loaded - supporting XCAP configuration so the presence stack initializes - `modparam("presence", "enable_sphere_check", 1)` enabled - routing logic that calls `handle_publish()` on attacker-controlled PUBLISH requests - `Event: presence` and a non-empty body ## Impact An attacker who can send matching PUBLISH requests to an affected OpenSIPS route can crash a worker process, causing denial of service for presence publication handling. Production reachability depends on whether PUBLISH traffic is authenticated or otherwise restricted by the routing script. ## Solutions and recommendations Upgrade to a fixed OpenSIPS version. OpenSIPS lists fixes in the May 2026 release series, including: - OpenSIPS 3.6.6: `de5071a48` and `ec38f4f01` - OpenSIPS 4.0.0-rc1: `73279c3fe` and `91e13270e` - master: `594913524` and `a03b8a82e` If immediate patching is not possible, disable sphere checking if it is not required and restrict PUBLISH routes to trusted or authenticated clients. ## References - [OpenSIPS advisory GHSA-h3ww-hchh-x2g9](https://github.com/OpenSIPS/opensips/security/advisories/GHSA-h3ww-hchh-x2g9) - [CVE-2026-45084](https://www.cve.org/CVERecord?id=CVE-2026-45084) - [OpenSIPS master fix 594913524](https://github.com/OpenSIPS/opensips/commit/594913524) - [OpenSIPS master fix a03b8a82e](https://github.com/OpenSIPS/opensips/commit/a03b8a82e) ## About Enable Security [Enable Security](https://www.enablesecurity.com) provides quality penetration testing to help protect your real-time communications systems against attack. ## Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ## Disclosure policy This report is subject to Enable Security's vulnerability disclosure policy which can be found at .