Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, FreeSWITCH includes a vulnerable function, PREFIX(prologTok)(), in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c, which was cloned from an outdated and vulnerable version in libexpat/libexpat. The function did not receive the corresponding security patch. This issue has been patched in version 1.11.0.
AnalysisAI
Denial-of-service exposure in FreeSWITCH versions prior to 1.11.0 stems from a vendored, unpatched copy of libexpat XML tokenization code embedded in the bundled xmlrpc-c library. The function PREFIX(prologTok)() in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c was cloned from an outdated upstream libexpat release and never received the corresponding security fix, leaving FreeSWITCH's XML parsing surface vulnerable. An authenticated low-privilege attacker over the network can exploit this to achieve high availability impact against the telecom stack; no public exploit or CISA KEV listing has been identified at time of analysis.
Technical ContextAI
FreeSWITCH (CPE: cpe:2.3:a:signalwire:freeswitch:*:*:*:*:*:*:*:*) ships a bundled copy of xmlrpc-c, which itself contains a vendored fork of the Expat XML parser. The affected file - libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c - implements low-level XML tokenization and is macro-instantiated via the PREFIX() pattern to produce multiple encoding-specific variants (e.g., for UTF-8, UTF-16). The prologTok() function handles tokenization of the XML declaration prologue. Because this copy was cloned from a historically vulnerable libexpat snapshot and was never synchronized with upstream security patches, a known flaw persisted in FreeSWITCH's parse path long after the canonical libexpat project resolved it. CWE-116 (Improper Encoding or Escaping of Output) is assigned; however, this classification is potentially inconsistent with the availability-only CVSS impact (C:N/I:N/A:H) and the XML tokenizer context - the root cause more typically aligns with improper input validation or buffer handling in XML parsing code. This discrepancy should be verified against the full GHSA advisory.
RemediationAI
Upgrade FreeSWITCH to version 1.11.0 or later, which is confirmed by the vendor as the patched release (https://github.com/signalwire/freeswitch/releases/tag/v1.11.0). The v1.11.0 release notes explicitly describe this as an important release containing critical security fixes and encourage all users to upgrade whenever possible. Note that v1.11.0 also introduces breaking changes: migration from PCRE to PCRE2, removal of approximately 30 legacy modules, and a Windows OpenSSL upgrade to 3.x - operators should review the full release notes before deploying to production. If an immediate upgrade is not feasible, a compensating control would be to restrict access to FreeSWITCH's XML-RPC interface at the network layer, limiting exposure to trusted hosts only, thereby reducing the pool of potential authenticated attackers who could reach the vulnerable parse path. The GHSA advisory at https://github.com/signalwire/freeswitch/security/advisories/GHSA-4jm3-xpcm-mwwq should be consulted for any additional vendor-specified mitigations.
More in Freeswitch
View allFreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml. Rated critical severity (CVSS 9.8), th
Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may all
FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api
Multiple buffer overflows in the switch_perform_substitution function in switch_regex.c in FreeSWITCH 1.2 allow remote a
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
Heap buffer overflow in FreeSWITCH mod_verto prior to version 1.11.1 allows remote unauthenticated attackers to corrupt
Same weakness CWE-116 – Improper Encoding or Escaping of Output
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35469