CVE-2025-44951
BaseFortify
Publication date: 2025-06-18
Last updated on: 2025-07-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-44951 is a buffer overflow vulnerability in the PFCP library used by the SMF and UPF components of open5gs version 2.7.2 and earlier. It occurs due to a missing length check in the function `ogs_pfcp_dev_add` when handling the `session.dev` field. A local attacker who can modify configuration files can supply a string longer than 32 characters for the `dev` field, causing a buffer overflow and potential memory corruption. This happens because unsafe string copy functions like `strcpy` are used without validating input length. [1]
How can this vulnerability impact me? :
This vulnerability can lead to a buffer overflow, which may cause memory corruption in the affected components (SMF and UPF) of open5gs. This can result in crashes, denial of service, or potentially allow an attacker to execute arbitrary code with local access. However, exploitation requires local access to modify configuration files, limiting the attack vector to local attackers. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the open5gs version in use is 2.7.2 or earlier and if the configuration files for SMF or UPF components contain 'dev' fields with values longer than 32 characters or 'dnn' fields longer than 101 characters. Detection can also involve reviewing source code or logs for unsafe string copy operations in the functions `ogs_pfcp_dev_add` and `ogs_pfcp_subnet_add`. Debug print statements before and after the vulnerable strcpy calls were used in testing. Specific commands are not provided, but inspecting configuration files for overly long 'dev' or 'dnn' values and verifying the open5gs version are recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing local attackers from modifying configuration files by restricting access permissions. Additionally, upgrading open5gs to a version later than 2.7.2 where this vulnerability is fixed is recommended. If patching is possible, replacing unsafe string copy functions like strcpy with safer alternatives such as snprintf, strcpy_s, or strlcpy to enforce proper length checks in the affected functions (`ogs_pfcp_dev_add` and `ogs_pfcp_subnet_add`) is advised. [1]