Skip to main content

Tags Opensips

OpenSIPS: Denial of service in presence.handle_publish() from unchecked Content-Type state

Description

OpenSIPS published GHSA-h3ww-hchh-x2g9 for a configuration-dependent crash in modules/presence/publish.c:handle_publish(). The vulnerable path calls get_content_type(msg) while sphere checking is enabled, but can reach that call without safe Content-Type parser state.

Read more about OpenSIPS: Denial of service in presence.handle_publish() from unchecked Content-Type state

OpenSIPS: Watcherinfo XML generation denial of service from oversized watcher URI

Description

OpenSIPS published GHSA-gx83-2gh8-7v56 for a denial-of-service vulnerability in watcherinfo XML generation. The issue is caused by an oversized watcher URI being copied into a fixed-size stack buffer in modules/presence/notify.c:create_winfo_xml().

Read more about OpenSIPS: Watcherinfo XML generation denial of service from oversized watcher URI

OpenSIPS: Denial of service in SDP bandwidth parsing via QoS SDP cloning

Description

OpenSIPS published GHSA-rh36-mhpv-cx2r for malformed SDP bandwidth-line handling in parser/sdp/sdp_helpr_funcs.c:extract_bwidth(). A missing delimiter can corrupt parsed SDP metadata, which can later crash OpenSIPS when the state is cloned by dialog/QoS handling.

Read more about OpenSIPS: Denial of service in SDP bandwidth parsing via QoS SDP cloning

OpenSIPS: Denial of service in IMC #list member listing

Published on May 21, 2026 in , ,

  • CVSS v4.0, Enable Security assessment
  • Other references:
  • CVE: not assigned in the OpenSIPS GitHub advisory as of 2026-06-02
  • Fixed versions: OpenSIPS 3.6.6, OpenSIPS 4.0.0-rc1, and master at or after 76afe3420
  • Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2026-04-opensips-imc-list-buffer-overflow/
  • Tested vulnerable version: OpenSIPS 3.5.9
  • Timeline:
    • Enable Security reproduced the issue: 2026-04-30
    • Additional verification: 2026-05-15
    • OpenSIPS advisory: 2026-05-21
    • Enable Security advisory: 2026-05-21

Description

OpenSIPS published GHSA-3qr5-cgpj-hxhx for an unchecked fixed-buffer copy in modules/imc/imc_cmd.c:imc_handle_list() while building an IMC room member list reply.

Read more about OpenSIPS: Denial of service in IMC #list member listing

OpenSIPS: Out-of-bounds read in IMC unknown-command reply building

Published on May 21, 2026 in ,

Description

OpenSIPS published GHSA-3gfr-36cv-g4fc for an IMC unknown-command reply length mismatch in modules/imc/imc_cmd.c:imc_handle_unknown(). The vulnerable code keeps the would-have-been snprintf() length after truncation and passes that oversized length to TM reply construction.

Read more about OpenSIPS: Out-of-bounds read in IMC unknown-command reply building

DVRTC v0.2.0: pbx2 and SIP SQL injection

DVRTC v0.2.0 expands the lab with pbx2, a new OpenSIPS, FreeSWITCH, and rtpproxy scenario. It also adds a fun SIP-driven Lua SQL injection exercise, along with new docs, workflows, and attack paths to try.…

Read more about DVRTC v0.2.0: pbx2 and SIP SQL injection

OpenSIPS Security Audit Report is fully disclosed and out there

It’s almost a year since the OpenSIPS project published a minimized version of our security audit report from 2022. Now, the full version has been published, with all the information intact on how to reproduce the vulnerabilities and extra details in an 80+ page report.

The OpenSIPS security audit report can be found here.

What is the OpenSIPS security audit?

OpenSIPS is a SIP server that often has a critical security function within an IP communications system. Thus, it makes absolute sense to perform a thorough security audit for such software. We had been dealing with OpenSIPS servers from time to time in our work so we were rather familiar with the software and the project itself. Then back in January 2021, the lead developer for OpenSIPS, Bogdan-Andrei Iancu, asked us if we would be interested in doing some proper security work. Naturally, our answer was yes please!

Read more about OpenSIPS Security Audit Report is fully disclosed and out there

Bug discovery diaries: uncovering sngrep overflow issues with blackbox fuzzing

Executive summary (TL;DR)

During OpenSIPIt, we crashed sngrep by mistake while briefly fuzzing OpenSIPS. Later on we setup a docker environment to reproduce the issue, identified the actual bugs and reported them upstream. If you want to learn the simple steps to do this, you actually have to read the rest of the post :-)

sngrep crash during the live OpenSIPit event

Last year we participated in OpenSIPIt’s interoperability testing event which was held between the 14th and 15th of September 2020. Amongst the topics discussed were RFC8760 (SHA-digest), STIR/SHAKEN and RFC8599 (push notifications). Whilst trying to stick to the agenda, we couldn’t resist the temptation to fuzz test the servers that were available to us. An instance of OpenSIPS was tested for a very short period of time, however, we did not observe any server crashes.

Read more about Bug discovery diaries: uncovering sngrep overflow issues with blackbox fuzzing