CVE-2025-65559
BaseFortify
Publication date: 2025-12-18
Last updated on: 2025-12-19
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | upf | 2.7.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-65559 is a security vulnerability in Open5GS UPF version v2.7.5-49-g465e90f. It occurs when the UPF processes a PFCP Session Establishment Request containing an F-TEID with the CH flag set to 1, but the IP address family flags (IPv4 or IPv6) of the F-TEID do not match the configured GTP-U resource family for the selected DNN (Network Instance). This mismatch triggers an assertion failure in the function ogs_pfcp_object_teid_hash_set(), causing the UPF to crash. [1]
How can this vulnerability impact me? :
This vulnerability can cause the Open5GS UPF to crash and terminate unexpectedly when processing certain PFCP Session Establishment Requests with mismatched IP address family flags. The impact is a denial of service (DoS) condition on the UPF, potentially disrupting network services that rely on it. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the UPF logs for assertion failures related to F-TEID address-family mismatches during PFCP Session Establishment Requests. Specifically, look for logs indicating assertion failures in `ogs_pfcp_object_teid_hash_set()` in `lib/pfcp/context.c`, errors about invalid FQDN encoding, invalid pdi.network_instance, and core dumps. Additionally, you can attempt to reproduce the issue by sending a crafted PFCP Session Establishment Request (type=50) with a CreatePDR containing a PDI with NetworkInstance set to the DNN and an F-TEID where CH=1 and the IPv4/IPv6 flags do not match the configured GTP-U resource family. A proof-of-concept Go program exists for this purpose. Commands to capture logs might include `journalctl -u open5gs-upfd` or checking the UPF log files. For active testing, using the provided PoC or tools that can send PFCP messages with mismatched F-TEID flags can help detect the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include ensuring that the F-TEID address-family flags in PFCP Session Establishment Requests match the configured GTP-U resource family for the selected DNN to prevent assertion failures. This can be done by validating incoming PFCP messages to reject or correct mismatched F-TEID IP versions before processing. Additionally, updating Open5GS to a version where this assertion failure is fixed or patched is recommended once available. Until then, monitoring for crashes and avoiding configurations that allow mismatched IP address families in PFCP messages can reduce risk. [1]