Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, the mod_verto HTTP request handler allocates a fixed 2 MiB buffer for a POST application/x-www-form-urlencoded body but accepts Content-Length up to just under 10 MiB. The body-read loop is bounded by Content-Length rather than the buffer size, producing an attacker-controlled heap overflow of up to ~8 MiB -- before the HTTP basic-auth check runs. This issue has been patched in version 1.11.1.
AnalysisAI
Heap buffer overflow in FreeSWITCH mod_verto prior to version 1.11.1 allows remote unauthenticated attackers to corrupt up to ~8 MiB of heap memory by sending a crafted HTTP POST request with an oversized Content-Length header. The flaw is triggered before HTTP basic-auth validation runs, enabling pre-authentication exploitation against any exposed mod_verto HTTP endpoint, with CVSS 9.8 reflecting potential for remote code execution; no public exploit identified at time of analysis.
Technical ContextAI
FreeSWITCH is an open-source software-defined telecom stack maintained by SignalWire (per the cpe:2.3:a:signalwire:freeswitch CPE). The vulnerability lives in mod_verto, the WebSocket/HTTP module that powers Verto signaling for WebRTC clients. Specifically, the HTTP POST handler for application/x-www-form-urlencoded bodies allocates a fixed 2 MiB heap buffer, but the body-read loop is bounded by the attacker-supplied Content-Length header (accepted up to just under 10 MiB) rather than the destination buffer's size. This is a classic CWE-122 heap-based buffer overflow caused by a length-check mismatch between allocation and copy, and critically the overflow occurs before HTTP basic authentication is enforced, making the vulnerable code path reachable by anonymous attackers.
RemediationAI
Vendor-released patch: upgrade FreeSWITCH to version 1.11.1 or later, which contains the 'mod_verto: Fix heap overflow in HTTP POST body read' fix listed in the v1.11.1 release notes at https://github.com/signalwire/freeswitch/releases/tag/v1.11.1; the GHSA-wfrq-qvg2-f88f advisory provides the coordinated disclosure details. Operators who cannot upgrade immediately should restrict network exposure of the mod_verto HTTP listener - bind it only to trusted interfaces, place it behind a reverse proxy or WAF that enforces a maximum Content-Length well under 2 MiB on POST application/x-www-form-urlencoded requests to Verto endpoints, or disable mod_verto entirely if WebRTC/Verto signaling is unused (trade-off: WebRTC clients will lose connectivity). Network ACLs limiting source IPs to known SIP/WebRTC clients reduce exposure but do not eliminate risk from compromised internal hosts.
More in Freeswitch
View allFreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml. Rated critical severity (CVSS 9.8), th
Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may all
FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api
Multiple buffer overflows in the switch_perform_substitution function in switch_regex.c in FreeSWITCH 1.2 allow remote a
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35472