Executive Summary

CVE-2025-14953 is a vulnerability in Open5GS versions up to 2.7.5 affecting the User Plane Function (UPF). It occurs because the system accepts PFCP Session Establishment Requests containing a CreatePDR message that lacks the mandatory FAR-ID (Forwarding Action Rule Identifier). When the UPF later receives a GTP-U packet matching this malformed PDR, it attempts to dereference a NULL pointer (the missing FAR-ID), causing an assertion failure and crashing the UPF process. This is a null pointer dereference vulnerability leading to denial of service. The issue arises from improper validation of mandatory Information Elements in PFCP messages, violating 3GPP TS 29.244 specifications. A patch has been released to reject such malformed requests and prevent the crash. [1, 2, 3, 4]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition by crashing the Open5GS User Plane Function (UPF) component. An attacker who can send PFCP Session Establishment Requests and GTP-U packets can exploit this flaw to crash the UPF, disrupting user plane traffic forwarding and impacting system availability. Although exploitation is difficult, a public proof-of-concept exploit exists, increasing the risk. The crash results from the UPF dereferencing a NULL pointer due to missing mandatory FAR-ID in the PFCP messages, causing the process to abort and service disruption. [1, 2, 4]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or assertion failures in the Open5GS UPF component, specifically related to the function _gtpv1_u_recv_cb() or ogs_pfcp_handle_create_pdr(). Detection involves observing logs for assertion failures indicating dereferencing of a NULL FAR pointer. Additionally, network traffic analysis can be performed to identify PFCP Session Establishment Requests containing CreatePDR IEs without the mandatory FAR-ID. A proof-of-concept involves sending a PFCP Session Establishment Request missing the FAR-ID and then sending a matching GTP-U packet to trigger the crash. While specific commands are not provided, using packet capture tools (e.g., tcpdump) to capture PFCP and GTP-U packets and analyzing them for malformed CreatePDR messages lacking FAR-ID can help detect attempts to exploit this vulnerability. [2, 4]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to apply the patch identified by commit 93a9fd98a8baa94289be3b982028201de4534e32, which adds mandatory IE validation to reject CreatePDR messages lacking the FAR-ID, preventing the NULL pointer dereference and subsequent crash. Until the patch is applied, monitoring and filtering PFCP Session Establishment Requests to block those missing the FAR-ID IE can reduce risk. Ensuring that only trusted sources can send PFCP messages to the UPF and limiting exposure of the PFCP interface can also help mitigate exploitation. [1, 3]

Useful 0 Not Useful 0

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0