CVE-2025-65561
BaseFortify
Publication date: 2025-12-18
Last updated on: 2025-12-19
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| free5gc | free5gc | 4.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-65561 is a vulnerability in free5GC version 4.1.0's User Plane Function (UPF) component. It occurs when the UPF receives a PFCP Session Modification Request with a specially crafted, excessively large Session Endpoint Identifier (SEID). The function LocalNode.Sess converts this large SEID to an integer and subtracts one, causing an integer overflow and resulting in a negative index. Because the code only checks the upper bound and not the lower bound of this index, it attempts to access a session slice with a negative index, causing a runtime panic and crashing the UPF process. This leads to a denial of service. [1, 2]
How can this vulnerability impact me? :
This vulnerability can cause the User Plane Function (UPF) in free5GC to crash when processing malformed PFCP Session Modification Requests with large SEID values. The crash results from an out-of-range slice access due to integer overflow, leading to a denial of service. This means that an attacker can disrupt network services relying on free5GC by sending crafted PFCP messages, potentially causing service outages or instability in the affected network components. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or runtime panics in the free5GC UPF logs, specifically looking for panic messages related to 'index out of range [-2]' in the LocalNode.Sess() function when processing PFCP Session Modification Requests. Additionally, sending a crafted PFCP Session Modification Request with the SEID set to 0xFFFFFFFFFFFFFFFF to the UPF and observing if it crashes can confirm the presence of the vulnerability. Commands to reproduce the issue include using a Go program or PFCP testing tools to first send a valid PFCP Association Setup Request, then send a PFCP Session Modification Request with the large SEID value. Monitoring system logs for runtime panics during these tests can help detect the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the free5GC UPF component to a version that includes the patch fixing this vulnerability, which adds explicit uint64 boundary validations to prevent out-of-range accesses and integer overflow in session lookup logic. If an immediate update is not possible, monitoring and filtering PFCP Session Modification Requests to block those with suspiciously large SEID values (such as 0xFFFFFFFFFFFFFFFF) can help prevent triggering the crash. Additionally, applying any available patches from the free5gc project repository that address this issue is recommended. [2]