CVE-2025-65563
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-18

Last updated on: 2025-12-19

Assigner: MITRE

Description
A denial-of-service vulnerability exists in the omec-project UPF (component upf-epc/pfcpiface) up to at least version upf-epc-pfcpiface:2.1.3-dev. When the UPF receives a PFCP Association Setup Request that is missing the mandatory NodeID Information Element, the association setup handler dereferences a nil pointer instead of validating the message, causing a panic and terminating the UPF process. An attacker who can send PFCP Association Setup Request messages to the UPF's N4/PFCP endpoint can exploit this issue to repeatedly crash the UPF and disrupt user-plane services.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2025-12-19
Generated
2026-05-07
AI Q&A
2025-12-18
EPSS Evaluated
2026-05-05
NVD
CVE-2025-65563
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
omec-project upf 2.1.2-dev
omec-project upf 2.1.3-dev
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a denial-of-service issue in the omec-project UPF component. When the UPF receives a PFCP Association Setup Request message that is missing the mandatory NodeID Information Element (IE), it improperly dereferences a nil pointer instead of validating the message. This causes the UPF process to panic and crash. An attacker who can send such malformed PFCP messages to the UPF's N4/PFCP endpoint can exploit this flaw to repeatedly crash the UPF, disrupting user-plane services. [1, 2]


How can this vulnerability impact me? :

This vulnerability can cause the UPF process to crash repeatedly when it receives malformed PFCP Association Setup Requests missing the mandatory NodeID IE. This leads to a denial of service (DoS) condition, disrupting user-plane services that rely on the UPF. An attacker capable of sending such malformed messages can exploit this to interrupt network operations and degrade service availability. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by sending malformed PFCP Association Setup Request messages that omit the mandatory NodeID Information Element (IE) to the UPF's N4/PFCP endpoint and observing if the UPF process crashes or panics. A proof-of-concept (PoC) Go program exists that crafts and sends such malformed PFCP messages using the github.com/wmnsk/go-pfcp library over UDP. Specifically, the PoC includes a mode called 'assoc-missing-nodeid' which sends an Association Setup Request without the NodeID IE to trigger the crash. Monitoring the UPF logs for panic stack traces related to nil pointer dereferences in the PFCP message handling code (e.g., at pfcpiface/messages_conn.go:138) can also help detect exploitation attempts. [2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include updating the omec-project UPF component to a version that includes the fix from Pull Request #963, which adds proper validation for the presence of the NodeID IE in PFCP Association Setup Requests and handles missing or malformed messages gracefully without crashing. Until the update can be applied, monitoring and filtering incoming PFCP Association Setup Requests to block or drop those missing the mandatory NodeID IE may reduce the risk of exploitation. Additionally, implementing network-level protections to restrict access to the UPF's N4/PFCP endpoint to trusted sources can help prevent attackers from sending malicious PFCP messages. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart