CVE-2025-14954
BaseFortify
Publication date: 2025-12-19
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14954 is a vulnerability in Open5GS version 2.7.5 affecting the User Plane Function (UPF) during PFCP Session Establishment. When more than four Packet Detection Rules (PDRs) reference unique QoS Enforcement Rule IDs (QER-IDs) without corresponding explicit QER definitions, the UPF tries to implicitly allocate more QER objects than its per-session limit of four. This causes an internal assertion failure in the function ogs_pfcp_qer_find_or_add(), leading the UPF process (open5gs-upfd) to crash. The crash results in a denial-of-service (DoS) condition as all user-plane sessions are dropped. The vulnerability can be triggered remotely by sending a crafted PFCP Session Establishment request with excessive PDRs referencing unique QER-IDs without CreateQER Information Elements. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can cause the Open5GS UPF process to crash remotely, resulting in a denial-of-service (DoS) condition. When exploited, all existing user-plane sessions are dropped, disrupting network services that rely on Open5GS for packet forwarding and session management. This can lead to service outages and degraded network availability until the UPF process is restarted or patched. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the Open5GS UPF daemon (open5gs-upfd) logs for repeated errors related to PFCP Session Establishment requests that reference more than four unique QER-IDs without corresponding CreateQER Information Elements. Specifically, look for log entries indicating assertion failures such as `ogs_assert(qer)` or errors like `qer_id_pool() failed` and fatal assertion failures in `ogs_pfcp_qer_find_or_add()`. Additionally, network traffic analysis can be performed to detect PFCP Session Establishment requests containing five or more CreatePDR IEs each referencing unique QER-IDs without CreateQER IEs. Commands to check logs might include `journalctl -u open5gs-upfd` or `tail -f /var/log/open5gs/upfd.log` depending on your system's logging configuration. For network capture, tools like `tcpdump` or `wireshark` can be used to filter UDP traffic on the PFCP port (typically UDP 8805) to inspect PFCP messages for suspicious Session Establishment requests. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate recommended mitigation is to apply the patch identified by commit 442369dcd964f03d95429a6a01a57ed21f7779b7, which replaces fatal assertion failures with graceful error handling in the Open5GS UPF daemon. This patch prevents the process from crashing when resource limits are exceeded by rejecting malformed or resource-exhausting PFCP Session Establishment requests instead of aborting. Until the patch can be applied, consider monitoring and filtering PFCP Session Establishment requests to block those that attempt to reference more than four unique QER-IDs without corresponding CreateQER IEs, thereby reducing the risk of triggering the denial-of-service condition. [3, 4]