Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, a single unauthenticated WebSocket frame containing a deeply nested JSON document crashes the FreeSWITCH process via stack overflow, terminating all calls and sessions on the host. The recursion drives the worker thread's stack pointer into the stack guard page, raising SIGSEGV from the kernel before any usable write primitive develops. This issue has been patched in version 1.11.1.
AnalysisAI
Denial of service in FreeSWITCH prior to version 1.11.1 allows remote unauthenticated attackers to crash the entire telephony process by sending a single WebSocket frame carrying a deeply nested JSON document. The recursive parsing exhausts the worker thread's stack and triggers SIGSEGV via the kernel stack guard page, terminating all active calls and sessions on the host. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the trivial network-reachable trigger and availability-only impact make it a credible service-disruption risk for exposed VoIP infrastructure.
Technical ContextAI
FreeSWITCH is an open-source Software Defined Telecom Stack maintained by SignalWire (CPE cpe:2.3:a:signalwire:freeswitch) that powers SIP, WebRTC, and Verto-based real-time communications on commodity hardware. The root cause is CWE-674 (Uncontrolled Recursion): the embedded cJSON parser used to decode WebSocket frames (typically via mod_verto, FreeSWITCH's WebRTC signaling module) recurses once per nested object/array level without a depth cap, so a maliciously crafted JSON document drives the parser's stack frames into the OS-reserved stack guard page. Because the fault is taken by the kernel before any controllable write primitive develops, the bug is limited to a crash - but a crash of the FreeSWITCH worker terminates every call and session on the host. The upstream fix in v1.11.1 caps cJSON parser nesting depth, as explicitly noted in the release changelog entry '[build] Cap cJSON parser nesting depth to prevent stack overflow.'
RemediationAI
Vendor-released patch: FreeSWITCH 1.11.1 - upgrade immediately, per the SignalWire advisory at https://github.com/signalwire/freeswitch/security/advisories/GHSA-2v74-pcgh-75wg and the release notes at https://github.com/signalwire/freeswitch/releases/tag/v1.11.1, which explicitly cap cJSON parser nesting depth to prevent the stack overflow. For environments that cannot upgrade immediately, restrict network reachability to the WebSocket signaling ports used by mod_verto (default TCP 8081/8082) to trusted client subnets or place them behind an authenticating reverse proxy or WAF that enforces a maximum JSON nesting depth and frame size on incoming WebSocket payloads - the trade-off is that legitimate WebRTC clients connecting from arbitrary networks will be blocked or require additional authentication infrastructure. If WebSocket/Verto signaling is not in use, disable mod_verto in modules.conf.xml to remove the attack surface entirely, accepting the loss of WebRTC signaling functionality. Monitor FreeSWITCH process supervisors and SIP/Verto session counts for sudden terminations as a detection signal until patching is complete.
More in Freeswitch
View allFreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml. Rated critical severity (CVSS 9.8), th
Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may all
FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api
Multiple buffer overflows in the switch_perform_substitution function in switch_regex.c in FreeSWITCH 1.2 allow remote a
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
Heap buffer overflow in FreeSWITCH mod_verto prior to version 1.11.1 allows remote unauthenticated attackers to corrupt
Same weakness CWE-674 – Uncontrolled Recursion
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35493