Security has always been an important part of the OpenSIPS development process. As a project used in production SIP infrastructures, OpenSIPS needs to remain stable, reliable and secure across a wide range of deployments.
Recently, we received a significant number of security-related reports against the OpenSIPS code base. This follows a broader trend in open source security research, where AI-assisted tools, static analysis and automated workflows are increasingly used to identify potential issues in software projects.
OpenSIPS was no exception. In the last two weeks alone, this translated into:
- 30 security reports received, reviewed and analyzed
- 24 commits dedicated to security fixes and related hardening
- 12 security advisories opened for the affected versions
- 6 CVEs assigned for the confirmed vulnerabilities
- 1 OpenSIPS release published with the relevant fixes
A Recent Wave of Security Reports
Over the last two weeks, we received a significant number of security-related reports against the OpenSIPS code base: 19 reports from one researcher, 5 from another, and 6 from another. Some of these reports overlapped, some described similar issues from different angles, and some turned out to be less critical after investigation.
Still, each report was reviewed, validated and classified in order to understand its real impact, the affected code path and the conditions required to trigger it. When an issue was confirmed, we prioritized the fix and worked to make it available as quickly as possible across the maintained OpenSIPS releases.
Security fixes are not postponed or treated as secondary work. Whether the issue is critical, configuration-dependent or mostly a robustness improvement, we handle it with the attention and urgency expected from a project used in production SIP infrastructures.
Responsible and Timely Disclosure
For each relevant report, we followed a clear process: validate the issue, reproduce it where possible, assess the impact, prepare the fix, backport it to maintained releases when needed, and publish advisories for the issues that required public disclosure.
This allows us to move quickly, but responsibly. Security fixes need to be timely, but they also need to be accurate and safe.
It is also important to put these reports into context. A security report does not automatically mean that all OpenSIPS deployments are vulnerable. Many issues depend on specific configurations, loaded modules or traffic scenarios. Our role is to analyze each report carefully, fix what needs to be fixed, and clearly communicate when users need to take action.
Acknowledgements
We would like to thank the researchers and security teams who took the time to analyze OpenSIPS and responsibly report their findings:
- Sandro Gauci and Alfred Farrugia from Enable Security
- Tristan Madani from Talence Security
- Haruto Kimura from Stella
Their reports and collaboration helped us identify, validate and address several issues across the OpenSIPS code base. We appreciate their contribution and the constructive communication throughout the disclosure process.
Moving Forward
OpenSIPS remains strongly committed to security, stability and transparency.
The recent fixes are part of the continuous maintenance and hardening of the project. As security research evolves and new tools become available, we expect more reports to appear — and we are ready to handle them with the same priority and attention.
We welcome further collaboration with the security community and encourage anyone who identifies a potential issue to report it responsibly.
Security is a continuous process — and in OpenSIPS, it is treated as a priority.
Drops of wisdom, knowledge and news from OpenSIPS 