CVE-2025-65562
BaseFortify
Publication date: 2025-12-18
Last updated on: 2025-12-19
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| free5gc | upf | 4.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-129 | The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in free5GC UPF v4.1.0 occurs because the system does not properly check the bounds of the SEID (Session Endpoint Identifier) when processing PFCP Session Deletion Requests. An unauthenticated attacker can send a request with an extremely large SEID value (e.g., 0xFFFFFFFFFFFFFFFF), which causes an integer conversion and underflow when the SEID (stored as uint64) is cast to a signed int and used as an index. This results in a negative index used to access a session slice, causing a Go runtime panic and crashing the UPF process, leading to a denial of service. [1]
How can this vulnerability impact me? :
The impact of this vulnerability is a denial of service (DoS) condition on the free5GC User Plane Function (UPF). An attacker can remotely crash the UPF by sending a specially crafted PFCP Session Deletion Request with a large SEID value, causing the UPF to panic and stop functioning. This disrupts the network service relying on the UPF, potentially causing outages or degraded service availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or runtime panics in the free5GC UPF process, specifically looking for Go runtime panic messages related to 'index out of range' errors in the DeleteSess() function. Additionally, sending a crafted PFCP Session Deletion Request with a very large SEID value (e.g., 0xFFFFFFFFFFFFFFFF) can be used as a proof-of-concept test to reproduce the crash. A PoC Go program exists that establishes a PFCP association and sends such a request to trigger the vulnerability. Monitoring logs for panic stack traces referencing internal/pfcp/node.go line 678 can also help detect exploitation attempts. Specific commands are not detailed, but using the PoC or network packet crafting tools to send malformed PFCP Session Deletion Requests with large SEID values would be the approach. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying patches or updates that add proper SEID validation in the DeleteSess() function to prevent integer underflow and out-of-range slice access. Until a fix is applied, network administrators should monitor and filter PFCP Session Deletion Requests with abnormally large SEID values to prevent them from reaching the UPF. Implementing input validation or firewall rules to block malformed PFCP messages with suspicious SEID values can reduce the risk. Restarting the UPF after a crash and monitoring for repeated crashes is also advised. Ultimately, updating free5GC UPF to a version where this vulnerability is fixed is necessary. [1]