CVE-2025-65564
BaseFortify
Publication date: 2025-12-18
Last updated on: 2025-12-19
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wmnsk | go-pfcp | v0.0.24 |
| omec-project | upf | 2.1.3-dev |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the omec-project's User Plane Function (UPF) component, specifically in version upf-epc-pfcpiface:2.1.3-dev. When the UPF receives a PFCP Association Setup Request message that is missing the mandatory Recovery Time Stamp Information Element (IE), the code attempts to access this missing IE without checking if it is present. This causes a nil pointer dereference, leading to a runtime panic and crashing the UPF process. An attacker can exploit this by sending malformed PFCP Association Setup Request messages to the UPF's N4/PFCP endpoint repeatedly, causing denial-of-service by crashing the UPF and disrupting user-plane services. [1]
How can this vulnerability impact me? :
This vulnerability can cause a denial-of-service (DoS) condition by crashing the UPF process whenever it receives a malformed PFCP Association Setup Request missing the mandatory Recovery Time Stamp IE. This crash disrupts the UPF's operation, potentially interrupting 5G user-plane services that rely on the UPF for packet forwarding. An attacker capable of sending such malformed messages can repeatedly crash the UPF, causing service outages and impacting network availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the UPF logs for crash events such as segmentation violations (SIGSEGV) or runtime panics related to nil pointer dereferences when handling PFCP Association Setup Request messages. Additionally, sending crafted PFCP Association Setup Request messages missing the Recovery Time Stamp IE to the UPF's UDP port 8805 can test for the vulnerability. A proof-of-concept Go program exists that crafts such malformed PFCP messages using the github.com/wmnsk/go-pfcp library. Using this PoC or similar tools to send malformed PFCP messages and observing if the UPF process crashes can confirm the presence of the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the UPF component to a version that includes the fix from Pull Request #964 or later, which adds validation checks for the presence of the Recovery Time Stamp IE in PFCP Association Setup Requests. This fix prevents nil pointer dereferences by validating the message before accessing the Recovery Time Stamp field and handles missing IEs gracefully by returning appropriate PFCP error responses. Until the update can be applied, monitoring and filtering malformed PFCP Association Setup Request messages at the network level to prevent such malformed packets from reaching the UPF may reduce the risk of exploitation. [2]