CVE-2025-65559
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-18

Last updated on: 2025-12-19

Assigner: MITRE

Description
An issue was discovered in Open5GS 2.7.5-49-g465e90f, when processing a PFCP Session Establishment Request (type=50), the UPF crashes with a reachable assertion in `lib/pfcp/context.c` (`ogs_pfcp_object_teid_hash_set`) if the CreatePDR?PDI?F-TEID has CH=1 and the F-TEID address-family flag(s) (IPv4/IPv6) do not match the GTP-U resource family configured for the selected DNN (Network Instance), resulting in a denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2025-12-19
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-65559
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open5gs upf 2.7.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-65559 is a security vulnerability in Open5GS UPF version v2.7.5-49-g465e90f. It occurs when the UPF processes a PFCP Session Establishment Request containing an F-TEID with the CH flag set to 1, but the IP address family flags (IPv4 or IPv6) of the F-TEID do not match the configured GTP-U resource family for the selected DNN (Network Instance). This mismatch triggers an assertion failure in the function ogs_pfcp_object_teid_hash_set(), causing the UPF to crash. [1]

Impact Analysis

This vulnerability can cause the Open5GS UPF to crash and terminate unexpectedly when processing certain PFCP Session Establishment Requests with mismatched IP address family flags. The impact is a denial of service (DoS) condition on the UPF, potentially disrupting network services that rely on it. [1]

Detection Guidance

This vulnerability can be detected by monitoring the UPF logs for assertion failures related to F-TEID address-family mismatches during PFCP Session Establishment Requests. Specifically, look for logs indicating assertion failures in `ogs_pfcp_object_teid_hash_set()` in `lib/pfcp/context.c`, errors about invalid FQDN encoding, invalid pdi.network_instance, and core dumps. Additionally, you can attempt to reproduce the issue by sending a crafted PFCP Session Establishment Request (type=50) with a CreatePDR containing a PDI with NetworkInstance set to the DNN and an F-TEID where CH=1 and the IPv4/IPv6 flags do not match the configured GTP-U resource family. A proof-of-concept Go program exists for this purpose. Commands to capture logs might include `journalctl -u open5gs-upfd` or checking the UPF log files. For active testing, using the provided PoC or tools that can send PFCP messages with mismatched F-TEID flags can help detect the vulnerability. [1]

Mitigation Strategies

Immediate mitigation steps include ensuring that the F-TEID address-family flags in PFCP Session Establishment Requests match the configured GTP-U resource family for the selected DNN to prevent assertion failures. This can be done by validating incoming PFCP messages to reject or correct mismatched F-TEID IP versions before processing. Additionally, updating Open5GS to a version where this assertion failure is fixed or patched is recommended once available. Until then, monitoring for crashes and avoiding configurations that allow mismatched IP address families in PFCP messages can reduce risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65559. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart