Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's check_auth userauth branch wrote request-supplied userVariables into the connection state before comparing the supplied password. The writes are append-only and the connection is not closed on a failed compare, so values declared on bad-password attempts persisted on the same WebSocket and carried into a subsequent successful login on that connection. This issue has been patched in version 1.11.1.
AnalysisAI
mod_verto session state pollution in FreeSWITCH allows an authenticated WebSocket user to inject arbitrary userVariables into connection state before password verification completes, with those values persisting into any subsequent successful login on the same connection. All versions prior to 1.11.1 are affected via the check_auth userauth branch, which performs append-only state writes before the password comparison gate, and crucially does not close the connection on a failed compare. No public exploit has been identified and the vulnerability is not in CISA KEV, but the vendor explicitly labeled this release a critical security fix and strongly urged immediate upgrade.
Technical ContextAI
FreeSWITCH (CPE: cpe:2.3:a:signalwire:freeswitch:*:*:*:*:*:*:*:*) is a software-defined telecom stack; mod_verto is its WebSocket/JSON-RPC signaling module used for browser-based real-time communications. The root cause is CWE-287 (Improper Authentication): the check_auth userauth code path wrote caller-supplied userVariables into the per-connection state object before evaluating whether the supplied password was correct. Because the writes are append-only and the WebSocket connection is not torn down on authentication failure, any userVariables written during a failed attempt survive on the connection object. When the same WebSocket connection subsequently carries a successful login, those previously written variables are already present in the connection state and are treated as legitimate session data. The fix, confirmed in the v1.11.1 release notes as '[mod_verto] Defer userauth state writes until after password gate,' moves the state mutation to after the password gate, eliminating the race between write and verify.
RemediationAI
Upgrade FreeSWITCH to version 1.11.1, the vendor-released patch that defers mod_verto userauth state writes until after the password gate. The fix is confirmed in the release notes at https://github.com/signalwire/freeswitch/releases/tag/v1.11.1 and the security advisory at https://github.com/signalwire/freeswitch/security/advisories/GHSA-j38x-xm7f-9p2f. If immediate upgrade is not possible, a compensating control is to disable mod_verto entirely if WebSocket/JSON-RPC signaling is not operationally required - note this will remove browser-based RTC functionality. Alternatively, restrict WebSocket access to mod_verto to trusted source IPs via firewall rules, reducing the pool of potential attackers to those already with network-level access; this limits exposure but does not eliminate the vulnerability for authorized low-privilege users who can still initiate connections. No side effects are expected from the upgrade itself beyond the behavioral change to auth sequencing.
More in Freeswitch
View allFreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml. Rated critical severity (CVSS 9.8), th
Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may all
FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api
Multiple buffer overflows in the switch_perform_substitution function in switch_regex.c in FreeSWITCH 1.2 allow remote a
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
Heap buffer overflow in FreeSWITCH mod_verto prior to version 1.11.1 allows remote unauthenticated attackers to corrupt
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35495