Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, on GnuTLS builds, the SIP TLS transport (sip_transport_tls) can accept connections with invalid or untrusted certificates even when the application explicitly enables certificate verification via verify_server = PJ_TRUE or verify_client = PJ_TRUE. This issue has been patched in version 2.17.
AnalysisAI
Certificate validation bypass in PJSIP versions before 2.17 allows remote attackers to perform man-in-the-middle attacks against TLS connections when built with GnuTLS. Despite applications explicitly enabling certificate verification through verify_server or verify_client flags, the SIP TLS transport accepts connections with invalid or untrusted certificates, exposing SIP signaling to interception and manipulation. Vendor-released patch available in version 2.17 with GitHub commit ef684252. No public exploit identified at time of analysis, though the vulnerability is straightforward to exploit given the network attack vector and low complexity (CVSS:4.0 AV:N/AC:L/PR:N).
Technical ContextAI
PJSIP (pjproject) is a widely-used open-source SIP/VoIP stack written in C, commonly integrated into telephony applications, VoIP servers, and unified communications platforms. The vulnerability exists in the GnuTLS-specific TLS implementation (pjlib/src/pj/ssl_sock_gtls.c) where the tls_cert_verify_cb callback function fails to enforce certificate verification policy correctly. The root cause (CWE-295: Improper Certificate Validation) stems from conditional logic that allows TLS handshakes to complete successfully even when certificate chain-trust validation fails and the application has set verify_peer flags. The GnuTLS backend incorrectly returns success from the verification callback rather than GNUTLS_E_CERTIFICATE_ERROR when invalid certificates are presented. This affects the sip_transport_tls component which relies on the lower SSL socket layer to enforce certificate policies. The patch restructures the callback to always populate the verification status and only abort handshakes when verify_peer is set at the SSL-socket level, allowing upper-layer SIP transport code to inspect and enforce its own certificate policies correctly.
RemediationAI
Upgrade PJSIP pjproject to version 2.17 or later, available at https://github.com/pjsip/pjproject/releases/tag/2.17, which includes commit ef684252bb62b0716675b6e99ad7fe4c90e28920 that restructures the GnuTLS certificate verification callback to correctly enforce verify_peer flags. For applications unable to upgrade immediately, switch to OpenSSL TLS backend by recompiling PJSIP with OpenSSL instead of GnuTLS (configure with --disable-libgnutls --enable-libssl), though this requires build environment changes and testing for compatibility. As a temporary workaround, implement application-layer certificate pinning or manual certificate validation by inspecting the peer certificate chain after connection establishment, though this adds complexity and may not prevent all attack scenarios since the TLS handshake still completes with invalid certificates. Network-level compensating controls include restricting SIP TLS endpoints to known trusted IP ranges via firewall rules and deploying TLS-terminating reverse proxies with proper certificate validation in front of vulnerable PJSIP services, though this introduces additional infrastructure and may break direct peer-to-peer SIP features. No workaround fully mitigates risk - upgrade to 2.17 is the recommended remediation path.
Heap buffer overflow in PJSIP 2.16 and earlier allows local attackers with user interaction to execute arbitrary code or
Integer overflow in PJSIP 2.16 and earlier enables remote unauthenticated attackers to trigger memory corruption or appl
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a stack buffer overf
PJSIP versions 2.16 and below contain a cascading out-of-bounds heap read vulnerability in the pjsip_multipart_parse() f
Heap out-of-bounds read in PJSIP's VP9 RTP unpacketizer allows remote attackers to read memory beyond allocated buffer b
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28428