CVE-2025-65561
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-18

Last updated on: 2025-12-19

Assigner: MITRE

Description
An issue was discovered in function LocalNode.Sess in free5GC 4.1.0 allowing attackers to cause a denial of service or other unspecified impacts via crafted header Local SEID to the PFCP Session Modification Request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2025-12-19
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-65561
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
free5gc free5gc 4.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-65561 is a vulnerability in free5GC version 4.1.0's User Plane Function (UPF) component. It occurs when the UPF receives a PFCP Session Modification Request with a specially crafted, excessively large Session Endpoint Identifier (SEID). The function LocalNode.Sess converts this large SEID to an integer and subtracts one, causing an integer overflow and resulting in a negative index. Because the code only checks the upper bound and not the lower bound of this index, it attempts to access a session slice with a negative index, causing a runtime panic and crashing the UPF process. This leads to a denial of service. [1, 2]

Impact Analysis

This vulnerability can cause the User Plane Function (UPF) in free5GC to crash when processing malformed PFCP Session Modification Requests with large SEID values. The crash results from an out-of-range slice access due to integer overflow, leading to a denial of service. This means that an attacker can disrupt network services relying on free5GC by sending crafted PFCP messages, potentially causing service outages or instability in the affected network components. [1, 2]

Detection Guidance

This vulnerability can be detected by monitoring for crashes or runtime panics in the free5GC UPF logs, specifically looking for panic messages related to 'index out of range [-2]' in the LocalNode.Sess() function when processing PFCP Session Modification Requests. Additionally, sending a crafted PFCP Session Modification Request with the SEID set to 0xFFFFFFFFFFFFFFFF to the UPF and observing if it crashes can confirm the presence of the vulnerability. Commands to reproduce the issue include using a Go program or PFCP testing tools to first send a valid PFCP Association Setup Request, then send a PFCP Session Modification Request with the large SEID value. Monitoring system logs for runtime panics during these tests can help detect the vulnerability. [1]

Mitigation Strategies

Immediate mitigation steps include updating the free5GC UPF component to a version that includes the patch fixing this vulnerability, which adds explicit uint64 boundary validations to prevent out-of-range accesses and integer overflow in session lookup logic. If an immediate update is not possible, monitoring and filtering PFCP Session Modification Requests to block those with suspiciously large SEID values (such as 0xFFFFFFFFFFFFFFFF) can help prevent triggering the crash. Additionally, applying any available patches from the free5gc project repository that address this issue is recommended. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65561. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart