CVE-2025-14953
BaseFortify
Publication date: 2025-12-19
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2025-14953 is a vulnerability in Open5GS versions up to 2.7.5 affecting the User Plane Function (UPF). It occurs because the system accepts PFCP Session Establishment Requests containing a CreatePDR message that lacks the mandatory FAR-ID (Forwarding Action Rule Identifier). When the UPF later receives a GTP-U packet matching this malformed PDR, it attempts to dereference a NULL pointer (the missing FAR-ID), causing an assertion failure and crashing the UPF process. This is a null pointer dereference vulnerability leading to denial of service. The issue arises from improper validation of mandatory Information Elements in PFCP messages, violating 3GPP TS 29.244 specifications. A patch has been released to reject such malformed requests and prevent the crash. [1, 2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can cause a denial-of-service (DoS) condition by crashing the Open5GS User Plane Function (UPF) component. An attacker who can send PFCP Session Establishment Requests and GTP-U packets can exploit this flaw to crash the UPF, disrupting user plane traffic forwarding and impacting system availability. Although exploitation is difficult, a public proof-of-concept exploit exists, increasing the risk. The crash results from the UPF dereferencing a NULL pointer due to missing mandatory FAR-ID in the PFCP messages, causing the process to abort and service disruption. [1, 2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or assertion failures in the Open5GS UPF component, specifically related to the function _gtpv1_u_recv_cb() or ogs_pfcp_handle_create_pdr(). Detection involves observing logs for assertion failures indicating dereferencing of a NULL FAR pointer. Additionally, network traffic analysis can be performed to identify PFCP Session Establishment Requests containing CreatePDR IEs without the mandatory FAR-ID. A proof-of-concept involves sending a PFCP Session Establishment Request missing the FAR-ID and then sending a matching GTP-U packet to trigger the crash. While specific commands are not provided, using packet capture tools (e.g., tcpdump) to capture PFCP and GTP-U packets and analyzing them for malformed CreatePDR messages lacking FAR-ID can help detect attempts to exploit this vulnerability. [2, 4]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the patch identified by commit 93a9fd98a8baa94289be3b982028201de4534e32, which adds mandatory IE validation to reject CreatePDR messages lacking the FAR-ID, preventing the NULL pointer dereference and subsequent crash. Until the patch is applied, monitoring and filtering PFCP Session Establishment Requests to block those missing the FAR-ID IE can reduce risk. Ensuring that only trusted sources can send PFCP messages to the UPF and limiting exposure of the PFCP interface can also help mitigate exploitation. [1, 3]