Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's WebSocket frame loop intercepts a #-prefixed speed-test protocol (#SPU / #SPB / #SPE) before any authentication check. The declared payload size in #SPU was parsed with atoi() and only rejected non-positive values, so an unauthenticated peer could request up to INT_MAX bytes. The server then wrote roughly size * 10 bytes back during the download phase, on the order of 20 GB per request, yielding strong outbound bandwidth amplification from a short request. This issue has been patched in version 1.11.1.
AnalysisAI
Unauthenticated outbound bandwidth amplification in FreeSWITCH versions prior to 1.11.1 allows remote attackers to coerce the server into emitting roughly 20 GB of traffic per short request via the mod_verto WebSocket #SPU speed-test command. The pre-auth code path parses the requested payload size with atoi() and only rejects non-positive values, letting a peer ask for up to INT_MAX bytes and triggering a size*10 download. No public exploit is identified at time of analysis, but the high-severity CVSS (7.5, A:H) and trivial trigger make this a credible DDoS-as-a-service primitive.
Technical ContextAI
FreeSWITCH (Signalwire) is an open-source software-defined telecom switch; mod_verto is its WebSocket-based signaling module for the Verto WebRTC protocol. The flaw sits in mod_verto's WebSocket frame loop, which inspects incoming frames for a '#'-prefixed speed-test sub-protocol (#SPU upload, #SPB bidirectional, #SPE end) before invoking the authentication gate. Per CWE-400 (Uncontrolled Resource Consumption), the #SPU handler converts the attacker-supplied payload-size string using atoi() with only a non-positive-value guard, then the download phase writes approximately ten times that value back to the peer - a classic missing upper-bound check producing bandwidth amplification rather than memory exhaustion. The CPE identifies signalwire:freeswitch in all versions matching the wildcard up to but not including 1.11.1.
RemediationAI
Vendor-released patch: upgrade to FreeSWITCH 1.11.1 (https://github.com/signalwire/freeswitch/releases/tag/v1.11.1), which moves the #SPU/#SPB/#SPE speed-test handlers behind the authentication gate and is the authoritative fix per advisory GHSA-p3gx-p2w7-wp35. If immediate upgrade is not possible, restrict network exposure of the mod_verto WebSocket listener (commonly TCP 8081/8082) at the firewall to known WebRTC client networks, or unload mod_verto entirely via fs_cli 'unload mod_verto' if Verto signaling is unused - the trade-off is loss of all WebRTC/Verto-based call handling for that node. As a narrower mitigation, terminate the WebSocket behind a reverse proxy that enforces per-IP egress byte caps and request-rate limits so a single connection cannot draw 20 GB of response traffic; this preserves Verto functionality but adds proxy latency and an operational dependency. Do not rely on authentication on the upstream Verto user accounts as a control - the vulnerable code path runs before any password check.
More in Freeswitch
View allFreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml. Rated critical severity (CVSS 9.8), th
Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may all
FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api
Multiple buffer overflows in the switch_perform_substitution function in switch_regex.c in FreeSWITCH 1.2 allow remote a
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
Heap buffer overflow in FreeSWITCH mod_verto prior to version 1.11.1 allows remote unauthenticated attackers to corrupt
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35473