CVE-2023-28096: OpenSIPS, a Session Initiation Protocol (SIP) server implementation, has a memory leak starting in the 2.3 branch and priot to versions 3.1.8 and 3.2....

Description

OpenSIPS, a Session Initiation Protocol (SIP) server implementation, has a memory leak starting in the 2.3 branch and priot to versions 3.1.8 and 3.2.5. The memory leak was detected in the function `parse_mi_request` while performing coverage-guided fuzzing. This issue can be reproduced by sending multiple requests of the form `{"jsonrpc": "2.0","method": "log_le`. This malformed message was tested against an instance of OpenSIPS via FIFO transport layer and was found to increase the memory consumption over time. To abuse this memory leak, attackers need to reach the management interface (MI) which typically should only be exposed on trusted interfaces. In cases where the MI is exposed to the internet without authentication, abuse of this issue will lead to memory exhaustion which may affect the underlying system’s availability. No authentication is typically required to reproduce this issue. On the other hand, memory leaks may occur in other areas of OpenSIPS where the cJSON library is used for parsing JSON objects. The issue has been fixed in versions 3.1.8 and 3.2.5.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

0.77%

50.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-401

Affected Software

Vendor	Product	Versions
Opensips	Opensips	< 3.1.8
Opensips	Opensips	>= 3.2.0, < 3.2.5

References

https://github.com/OpenSIPS/opensips/commit/417568707520af25ec5c5dd91da18e6db3649dcbPatch, Third Party Advisory
https://github.com/OpenSIPS/opensips/security/advisories/GHSA-2mg2-g46r-j4qrThird Party Advisory
https://opensips.org/pub/audit-2022/opensips-audit-technical-report-full.pdfVendor Advisory
https://github.com/OpenSIPS/opensips/commit/417568707520af25ec5c5dd91da18e6db3649dcbPatch, Third Party Advisory
https://github.com/OpenSIPS/opensips/security/advisories/GHSA-2mg2-g46r-j4qrThird Party Advisory
https://opensips.org/pub/audit-2022/opensips-audit-technical-report-full.pdfVendor Advisory

Timeline

Published: Mar 15, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-28096?

OpenSIPS, a Session Initiation Protocol (SIP) server implementation, has a memory leak starting in the 2.3 branch and priot to versions 3.1.8 and 3.2.5. The memory leak was detected in the function `parse_mi_request` while performing coverage-guided fuzzing. This issue can be reproduced by sending multiple requests of the form `{"jsonrpc": "2.0","method": "log_le`. This malformed message was tested against an instance of OpenSIPS via FIFO transport layer and was found to increase the memory consumption over time. To abuse this memory leak, attackers need to reach the management interface (MI) which typically should only be exposed on trusted interfaces. In cases where the MI is exposed to the internet without authentication, abuse of this issue will lead to memory exhaustion which may affect the underlying system’s availability. No authentication is typically required to reproduce this issue. On the other hand, memory leaks may occur in other areas of OpenSIPS where the cJSON library is used for parsing JSON objects. The issue has been fixed in versions 3.1.8 and 3.2.5.

How severe is CVE-2023-28096?

CVE-2023-28096 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.77% probability of exploitation in the next 30 days.

How do I fix CVE-2023-28096?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.