References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

https://github.com/free5gc/free5gc/security/advisories/GHSA-44qj-cghf-9p97

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. The POST /upi/v1/upNodesLinks create-or-update handler accepts attacker-controlled JSON and passes it directly into UpNodesFromConfiguration(), which calls logger.InitLog.Fatalf(...) on several validation failures. One confirmed path is the UE-IP-pool overlap check: a single unauthenticated POST that adds a new UPF whose pool overlaps an existing UPF terminates the entire SMF process (docker ps shows Exited (1)), not just the goroutine. This vulnerability is fixed in 4.2.2.

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-306

CWE-617

CWE-862

https://github.com/free5gc/free5gc/issues/906

https://github.com/free5gc/free5gc/security/advisories/GHSA-44qj-cghf-9p97

https://github.com/free5gc/smf/commit/e0974e07ddab44a67d36a563cca383b2449e33e5

https://github.com/free5gc/smf/pull/203