Tags › Opensips
OpenSIPS: Denial of service in presence.handle_publish() from unchecked Content-Type state
Published on May 21, 2026 in security advisory, CVE-2026-45084, opensips, denial of service
- CVSS v4.0, Enable Security assessment
- Vector: link
- Other references:
- CVE-2026-45084
- GHSA-h3ww-hchh-x2g9
- CWE-476: NULL Pointer Dereference
- Fixed versions: OpenSIPS 3.6.6, OpenSIPS 4.0.0-rc1, and master at or after the May 2026 fix series
- Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2026-01-opensips-presence-publish-content-type-dos/
- Tested vulnerable version: OpenSIPS 3.5.9
- Timeline:
- Enable Security reproduced the issue: 2026-04-24
- UDP/TCP retest: 2026-04-30
- OpenSIPS advisory: 2026-05-21
- Enable Security advisory: 2026-05-21
Description
OpenSIPS published GHSA-h3ww-hchh-x2g9 for a configuration-dependent crash in modules/presence/publish.c:handle_publish(). The vulnerable path calls get_content_type(msg) while sphere checking is enabled, but can reach that call without safe Content-Type parser state.
OpenSIPS: Watcherinfo XML generation denial of service from oversized watcher URI
Published on May 21, 2026 in security advisory, CVE-2026-45809, opensips, denial of service
- CVSS v4.0, Enable Security assessment
- Vector: link
- Other references:
- CVE-2026-45809
- GHSA-gx83-2gh8-7v56
- CWE-121: Stack-based Buffer Overflow
- Fixed versions: OpenSIPS 3.6.6, OpenSIPS 4.0.0-rc1, and master at or after
eeb331cd5 - Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2026-02-opensips-watcherinfo-uri-stack-buffer-overflow/
- Tested vulnerable version: OpenSIPS 3.5.9
- Timeline:
- Enable Security reproduced the issue: 2026-04-29
- OpenSIPS advisory: 2026-05-21
- Enable Security advisory: 2026-05-21
Description
OpenSIPS published GHSA-gx83-2gh8-7v56 for a denial-of-service vulnerability in watcherinfo XML generation. The issue is caused by an oversized watcher URI being copied into a fixed-size stack buffer in modules/presence/notify.c:create_winfo_xml().
OpenSIPS: Denial of service in SDP bandwidth parsing via QoS SDP cloning
Published on May 21, 2026 in security advisory, CVE-2026-46334, opensips, denial of service
- CVSS v4.0, Enable Security assessment
- Vector: link
- Other references:
- CVE-2026-46334
- GHSA-rh36-mhpv-cx2r
- CWE-787: Out-of-bounds Write
- Fixed versions: OpenSIPS 3.6.6, OpenSIPS 4.0.0-rc1, and master at or after
38d0e6ea0 - Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2026-03-opensips-sdp-bandwidth-parsing-dos/
- Tested vulnerable version: OpenSIPS 3.5.9
- Timeline:
- Enable Security reproduced the issue: 2026-04-29
- OpenSIPS advisory: 2026-05-21
- Enable Security advisory: 2026-05-21
Description
OpenSIPS published GHSA-rh36-mhpv-cx2r for malformed SDP bandwidth-line handling in parser/sdp/sdp_helpr_funcs.c:extract_bwidth(). A missing delimiter can corrupt parsed SDP metadata, which can later crash OpenSIPS when the state is cloned by dialog/QoS handling.
OpenSIPS: Denial of service in IMC #list member listing
Published on May 21, 2026 in security advisory, opensips, denial of service
- CVSS v4.0, Enable Security assessment
- Vector: link
- Other references:
- GHSA-3qr5-cgpj-hxhx
- CWE-787: Out-of-bounds Write
- CVE: not assigned in the OpenSIPS GitHub advisory as of 2026-06-02
- Fixed versions: OpenSIPS 3.6.6, OpenSIPS 4.0.0-rc1, and master at or after
76afe3420 - Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2026-04-opensips-imc-list-buffer-overflow/
- Tested vulnerable version: OpenSIPS 3.5.9
- Timeline:
- Enable Security reproduced the issue: 2026-04-30
- Additional verification: 2026-05-15
- OpenSIPS advisory: 2026-05-21
- Enable Security advisory: 2026-05-21
Description
OpenSIPS published GHSA-3qr5-cgpj-hxhx for an unchecked fixed-buffer copy in modules/imc/imc_cmd.c:imc_handle_list() while building an IMC room member list reply.
OpenSIPS: Out-of-bounds read in IMC unknown-command reply building
Published on May 21, 2026 in security advisory, opensips
- CVSS v4.0, Enable Security assessment
- Vector: link
- Other references:
- GHSA-3gfr-36cv-g4fc
- CWE-125: Out-of-bounds Read
- CVE: not assigned in the OpenSIPS GitHub advisory as of 2026-06-02
- Fixed versions: OpenSIPS 3.6.6, OpenSIPS 4.0.0-rc1, and master at or after
07d54dbc9 - Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2026-05-opensips-imc-unknown-command-oob-read/
- Tested vulnerable version: OpenSIPS 3.5.9
- Timeline:
- Enable Security reproduced the issue: 2026-04-30
- OpenSIPS advisory: 2026-05-21
- Enable Security advisory: 2026-05-21
Description
OpenSIPS published GHSA-3gfr-36cv-g4fc for an IMC unknown-command reply length mismatch in modules/imc/imc_cmd.c:imc_handle_unknown(). The vulnerable code keeps the would-have-been snprintf() length after truncation and passes that oversized length to TM reply construction.
DVRTC v0.2.0: pbx2 and SIP SQL injection
Published on Apr 21, 2026 in DVRTC, voip security, webrtc security, training, sip security, opensips, freeswitch, demo server, security tools
DVRTC v0.2.0 expands the lab with pbx2, a new OpenSIPS, FreeSWITCH, and rtpproxy scenario. It also adds a fun SIP-driven Lua SQL injection exercise, along with new docs, workflows, and attack paths to try.…
OpenSIPS Security Audit Report is fully disclosed and out there
Published on Mar 17, 2023 in sip security, sip security testing, security tools, opensips, kamailio, fuzzing, denial of service, research
It’s almost a year since the OpenSIPS project published a minimized version of our security audit report from 2022. Now, the full version has been published, with all the information intact on how to reproduce the vulnerabilities and extra details in an 80+ page report.
The OpenSIPS security audit report can be found here.
What is the OpenSIPS security audit?
OpenSIPS is a SIP server that often has a critical security function within an IP communications system. Thus, it makes absolute sense to perform a thorough security audit for such software. We had been dealing with OpenSIPS servers from time to time in our work so we were rather familiar with the software and the project itself. Then back in January 2021, the lead developer for OpenSIPS, Bogdan-Andrei Iancu, asked us if we would be interested in doing some proper security work. Naturally, our answer was yes please!
…Bug discovery diaries: uncovering sngrep overflow issues with blackbox fuzzing
Published on Jan 5, 2021 in fuzzing, sip security, sipvicious pro, sip security testing, opensips
Executive summary (TL;DR)
During OpenSIPIt, we crashed sngrep by mistake while briefly fuzzing OpenSIPS. Later on we setup a docker environment to reproduce the issue, identified the actual bugs and reported them upstream. If you want to learn the simple steps to do this, you actually have to read the rest of the post :-)
sngrep crash during the live OpenSIPit event
Last year we participated in OpenSIPIt’s interoperability testing event which was held between the 14th and 15th of September 2020. Amongst the topics discussed were RFC8760 (SHA-digest), STIR/SHAKEN and RFC8599 (push notifications). Whilst trying to stick to the agenda, we couldn’t resist the temptation to fuzz test the servers that were available to us. An instance of OpenSIPS was tested for a very short period of time, however, we did not observe any server crashes.
…