CVE-2025-65567
BaseFortify
Publication date: 2025-12-18
Last updated on: 2025-12-19
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| omec-project | upf | 2.1.3-dev |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-65567 is a denial-of-service vulnerability in the omec-project UPF (User Plane Function) component, specifically in the pfcpiface module version upf-epc-pfcpiface:2.1.3-dev. The vulnerability occurs when the UPF receives a specially crafted PFCP Session Establishment Request containing a CreatePDR Information Element with a malformed Flow-Description string. The parser function parseFlowDesc does not properly validate the Flow-Description, leading to an out-of-bounds read of the token array. This causes a runtime panic and crashes the UPF process, resulting in denial of service. An attacker who can send PFCP Session Establishment Requests to the UPF's N4/PFCP endpoint can exploit this to repeatedly crash the UPF. [1]
How can this vulnerability impact me? :
This vulnerability can cause the UPF process to crash repeatedly, resulting in denial of service. Since the UPF is a critical component in the network handling user plane traffic, its crash can disrupt network services, degrade performance, and cause outages. An attacker exploiting this vulnerability can cause service interruptions by sending malformed PFCP Session Establishment Requests, potentially impacting availability and reliability of network functions relying on the UPF. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the UPF logs for runtime panics or crashes related to the parseFlowDesc function, especially after receiving PFCP Session Establishment Requests. Network detection involves capturing PFCP messages and inspecting Session Establishment Requests for malformed Flow-Description strings, such as those missing the 'to' clause (e.g., 'permit out ip from any'). A practical approach is to use packet capture tools like tcpdump or Wireshark to filter PFCP traffic on the N4 interface and analyze the CreatePDR IE for malformed Flow-Descriptions. Additionally, reproducing the issue using the provided Go-based proof-of-concept (PoC) can help confirm vulnerability presence. Example command to capture PFCP traffic: tcpdump -i <interface> udp port 8805 -w pfcp_capture.pcap [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or filtering access to the UPF's N4/PFCP endpoint to trusted sources only, preventing attackers from sending crafted PFCP Session Establishment Requests. Monitoring and alerting on UPF process crashes or panics can help detect exploitation attempts. Applying any available patches or updates from the omec-project that address this issue is recommended once released. In the meantime, consider implementing network-level protections such as firewall rules to block unauthorized PFCP traffic and rate limiting to reduce the impact of potential exploit attempts. [1]