CVE-2025-14954
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-19

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in Open5GS up to 2.7.6. Affected is the function ogs_pfcp_pdr_find_or_add/ogs_pfcp_far_find_or_add/ogs_pfcp_urr_find_or_add/ogs_pfcp_qer_find_or_add in the library lib/pfcp/context.c of the component QER/FAR/URR/PDR. The manipulation leads to reachable assertion. It is possible to initiate the attack remotely. The attack's complexity is rated as high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 442369dcd964f03d95429a6a01a57ed21f7779b7. Applying a patch is the recommended action to fix this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-19
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-19
EPSS Evaluated
2026-06-14
NVD
CVE-2025-14954
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open5gs open5gs to 2.7.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-14954 is a vulnerability in Open5GS version 2.7.5 affecting the User Plane Function (UPF) during PFCP Session Establishment. When more than four Packet Detection Rules (PDRs) reference unique QoS Enforcement Rule IDs (QER-IDs) without corresponding explicit QER definitions, the UPF tries to implicitly allocate more QER objects than its per-session limit of four. This causes an internal assertion failure in the function ogs_pfcp_qer_find_or_add(), leading the UPF process (open5gs-upfd) to crash. The crash results in a denial-of-service (DoS) condition as all user-plane sessions are dropped. The vulnerability can be triggered remotely by sending a crafted PFCP Session Establishment request with excessive PDRs referencing unique QER-IDs without CreateQER Information Elements. [1, 2, 3]

Impact Analysis

This vulnerability can cause the Open5GS UPF process to crash remotely, resulting in a denial-of-service (DoS) condition. When exploited, all existing user-plane sessions are dropped, disrupting network services that rely on Open5GS for packet forwarding and session management. This can lead to service outages and degraded network availability until the UPF process is restarted or patched. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by monitoring the Open5GS UPF daemon (open5gs-upfd) logs for repeated errors related to PFCP Session Establishment requests that reference more than four unique QER-IDs without corresponding CreateQER Information Elements. Specifically, look for log entries indicating assertion failures such as `ogs_assert(qer)` or errors like `qer_id_pool() failed` and fatal assertion failures in `ogs_pfcp_qer_find_or_add()`. Additionally, network traffic analysis can be performed to detect PFCP Session Establishment requests containing five or more CreatePDR IEs each referencing unique QER-IDs without CreateQER IEs. Commands to check logs might include `journalctl -u open5gs-upfd` or `tail -f /var/log/open5gs/upfd.log` depending on your system's logging configuration. For network capture, tools like `tcpdump` or `wireshark` can be used to filter UDP traffic on the PFCP port (typically UDP 8805) to inspect PFCP messages for suspicious Session Establishment requests. [1, 2]

Mitigation Strategies

The immediate recommended mitigation is to apply the patch identified by commit 442369dcd964f03d95429a6a01a57ed21f7779b7, which replaces fatal assertion failures with graceful error handling in the Open5GS UPF daemon. This patch prevents the process from crashing when resource limits are exceeded by rejecting malformed or resource-exhausting PFCP Session Establishment requests instead of aborting. Until the patch can be applied, consider monitoring and filtering PFCP Session Establishment requests to block those that attempt to reference more than four unique QER-IDs without corresponding CreateQER IEs, thereby reducing the risk of triggering the denial-of-service condition. [3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14954. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart