CVE-2025-29646
BaseFortify
Publication date: 2025-06-18
Last updated on: 2025-07-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-29646 is a vulnerability in the User Plane Function (UPF) component of Open5GS version 2.7.2 and earlier. It occurs when the UPF processes a specially crafted PFCP SessionEstablishmentRequest packet that has the restoration indication flag set to true and a TEID (Tunnel Endpoint Identifier) value that is either zero or greater than the size of the internal TEID pool. This causes an assertion failure in the source code, leading the UPF process to crash with a fatal error and core dump. Essentially, the UPF does not properly handle malformed packets with invalid TEID values, resulting in a denial of service. [1, 2]
How can this vulnerability impact me? :
This vulnerability allows a remote attacker to cause a denial of service (DoS) on the Open5GS UPF by sending crafted PFCP packets with invalid TEID values and the restoration indication flag set. The UPF process crashes and aborts, which disrupts the normal operation of the UPF component. This can lead to service outages or interruptions in the network functions relying on the UPF, potentially affecting network availability and reliability. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the Open5GS UPF logs for assertion failures related to PFCP SessionEstablishmentRequest packets with restoration_indication set to true and invalid TEID values (0 or exceeding the TEID pool size). Specifically, look for log entries showing assertion failures at lib/pfcp/context.c line 1365 and process crashes or core dumps. Additionally, detection can involve capturing PFCP traffic and inspecting SessionEstablishmentRequest messages for the restoration_indication flag set to true and TEID values that are zero or greater than the configured TEID pool size. Commands to assist detection could include using tcpdump or tshark to filter PFCP packets on UDP port 8805, for example: `tcpdump -i <interface> udp port 8805 -w pfcp_capture.pcap` and then analyzing the capture for malformed PFCP NewSessionEstablishmentRequest messages. However, no specific detection commands or tools are provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps are not explicitly described in the provided resources. Since the vulnerability causes the UPF process to crash upon receiving malformed PFCP packets, a temporary mitigation could include restricting or filtering PFCP traffic from untrusted sources to prevent malicious crafted packets from reaching the UPF. Network-level controls such as firewall rules to limit PFCP access to trusted entities may reduce exposure. Monitoring and alerting on UPF crashes and core dumps can help in early detection. Applying any available patches or updates from Open5GS once released would be the definitive mitigation, but no patch or workaround is mentioned in the resources. [1, 2]