CVE-2025-60638
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-24

Last updated on: 2025-12-01

Assigner: MITRE

Description
An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Nnssf_NSSAIAvailability API.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-24
Last Modified
2025-12-01
Generated
2026-05-07
AI Q&A
2025-11-24
EPSS Evaluated
2026-05-05
NVD
CVE-2025-60638
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
free5gc free5gc 4.0.0
free5gc free5gc 4.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the free5GC NSSF component (versions v4.0.0 and v4.0.1) where a specially crafted POST request to the Nnssf_NSSAIAvailability API endpoint causes the server to crash. The issue arises because the server code assumes an optional 'expiry' field in the JSON request is always present and calls a method on it without checking if it is nil. If the 'expiry' field is omitted, this causes a nil pointer dereference, leading to a runtime panic and a 500 Internal Server Error, effectively causing a denial of service. [1]


How can this vulnerability impact me? :

This vulnerability can cause a denial of service by crashing the NSSF service in free5GC when it receives a malformed POST request missing the optional 'expiry' field. This means that an attacker can disrupt the availability of the NSSF component, potentially impacting network functions relying on it and causing service interruptions. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by sending a crafted POST request to the Nnssf_NSSAIAvailability API endpoint (/nssai-availability/subscriptions) with a JSON body that omits the optional "expiry" field. If the server crashes or returns a 500 Internal Server Error instead of the expected 201 Created response, the vulnerability is present. For example, you can use the following curl command to test detection: curl -X POST http://<NSSF_SERVER>/nssai-availability/subscriptions -H "Content-Type: application/json" -d '{"nfNssaiAvailabilityUri": "fuzzstring", "taiList": [{"plmnId": {"mcc": "fuzzstring", "mnc": "fuzzstring"}, "tac": "fuzzstring"}], "event": "SNSSAI_STATUS_CHANGE_REPORT"}' [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves preventing the NSSF service from crashing due to the missing "expiry" field. This can be done by applying the recommended fix which adds a nil pointer check before calling the IsZero() method on the expiry field in the source code (nssaiavailability_subscription.go). Until a patch is applied, you should block or filter malformed POST requests to the /nssai-availability/subscriptions endpoint that omit the "expiry" field to avoid denial of service. Monitoring logs for panic stack traces originating from nssaiavailability_subscription.go can also help identify exploitation attempts. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart