Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable and unauthenticated (AV:N/PR:N), but AC:H reflects the required db_mode-plus-SQL-backend configuration; auth bypass gives C:H, injectable query gives I:L, no availability impact.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
OpenSIPS versions 3.1 before 3.6.4 containing the auth_jwt module (prior to commit 3822d33) contain a SQL injection vulnerability in the jwt_db_authorize() function in modules/auth_jwt/authorize.c when db_mode is enabled and a SQL database backend is used. The function extracts the tag claim from a JWT without prior signature verification and incorporates the unescaped value directly into a SQL query. An attacker can supply a crafted JWT with a malicious tag claim to manipulate the query result and bypass JWT authentication, allowing impersonation of arbitrary identities.
AnalysisAI
JWT authentication bypass in OpenSIPS 3.1 through 3.6.3 lets remote attackers impersonate arbitrary identities by exploiting a SQL injection in the auth_jwt module's jwt_db_authorize() function. The flaw affects only deployments where the module runs with db_mode enabled against a SQL database backend; the tag claim is read from the JWT and placed into a SQL query before the token signature is verified, so no valid signing key is needed. EPSS is low (0.07%, 20th percentile) and there is no public exploit identified at time of analysis, but the auth-bypass impact makes it a meaningful risk for exposed VoIP infrastructure.
Technical ContextAI
OpenSIPS is a high-performance open-source SIP server used as a proxy, registrar, and session border controller in VoIP and telecom deployments. The auth_jwt module validates JSON Web Tokens for SIP authentication; in database mode it looks up a 'tag' claim against a SQL table to map the token to an account. The root cause is CWE-89 (SQL Injection): in modules/auth_jwt/authorize.c, jwt_db_authorize() extracts the tag claim and concatenates the raw, unescaped value directly into the SQL query string. Critically, this extraction happens before signature verification, so an attacker fully controls the claim contents. The upstream fix (commit 3822d33, PR #3807, shipped in 3.6.4) routes the tag through escape_common(), which escapes single quotes, double quotes, backslashes, and null bytes into a heap-allocated buffer before it reaches the query.
Affected ProductsAI
OpenSIPS versions 3.1 up to but not including 3.6.4 are affected, specifically installations that load the auth_jwt module with db_mode enabled and a SQL database backend (commit 3822d33 and earlier). Deployments that do not use auth_jwt, or that use it without the database authorization path, are not exposed. No CPE string was provided in the input. Vendor resources are the project site https://opensips.org/ and the fixed-release changelog https://opensips.org/pub/opensips/3.6.4/ChangeLog, with the vulnerability advisory at https://www.vulncheck.com/advisories/opensips-auth-jwt-sql-injection-enables-jwt-authentication-bypass.
RemediationAI
Vendor-released patch: upgrade to OpenSIPS 3.6.4 or later, which incorporates the fix from PR https://github.com/OpenSIPS/opensips/pull/3807 and commit https://github.com/OpenSIPS/opensips/commit/3822d33c1c6b25832fdd88da1d23eed74be55b05 that escapes the JWT tag claim via escape_common() before it enters the SQL query. If you cannot upgrade immediately, the most direct compensating control is to disable db_mode in the auth_jwt module and rely on a non-SQL authorization backend, which removes the injectable code path but changes how tag-to-identity mapping is resolved and may require reconfiguring account lookups. Alternatively, restrict network reachability of the SIP interface that performs JWT authentication to trusted peers (ACLs/firewall) so untrusted clients cannot submit crafted JWTs - this reduces exposure but does not fix the underlying flaw and breaks any legitimate remote clients that need access. Consult the 3.6.4 ChangeLog at https://opensips.org/pub/opensips/3.6.4/ChangeLog and the VulnCheck advisory for details.
Same weakness CWE-89 – SQL Injection
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today