CVE-2025-66720
BaseFortify
Publication date: 2026-01-23
Last updated on: 2026-02-11
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| free5gc | pcf | 1.4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-66720 is a vulnerability in the free5gc PCF (Policy Control Function) component caused by missing nil checks before deleting entries in a map. Specifically, in the function HandleDeletePoliciesPolAssoId, the code attempts to delete a policy association from the AMPolicyData map without verifying if the user equipment object (ue) or the specific AMPolicyData entry is nil. If either is nil, this leads to a nil pointer dereference, causing a runtime panic and potentially incorrect HTTP responses. The issue was fixed by adding conditional checks to return early if nil values are detected, preventing the invalid delete operation and ensuring proper HTTP response behavior. [1, 2]
How can this vulnerability impact me? :
This vulnerability can cause the free5gc PCF component to crash or panic due to a nil pointer dereference when handling deletion requests for policy associations. This can lead to service disruption or denial of service, as the component may fail to respond correctly or terminate unexpectedly. Additionally, it can result in improper HTTP responses being sent to clients, which may affect the reliability and correctness of the system's API behavior. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the nil pointer dereference panic in the free5gc PCF component. Specifically, you can send a DELETE request to the PCF endpoint with an invalid or non-existent policy association ID (polAssoId) using a valid OAuth2 access token. If the vulnerability is present, the PCF logs will show a panic due to nil pointer dereference. Example command using curl: 1. Obtain a valid access token via OAuth2 client credentials grant. 2. Send a DELETE request with an invalid polAssoId: curl -X DELETE -H "Authorization: Bearer <access_token>" https://<pcf_endpoint>/policies/<invalid_polAssoId> Observe the PCF logs for panic messages indicating nil pointer dereference. This confirms the presence of the vulnerability. [2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, update the free5gc PCF component to include the fix that adds proper nil checks before deleting entries in the AMPolicyData map. Specifically, ensure that the function HandleDeletePoliciesPolAssoId returns immediately after detecting nil ue or nil AMPolicyData[polAssoId] to prevent nil pointer dereference. Additionally, modify the HTTP 204 No Content response to use c.Status(http.StatusNoContent) instead of c.JSON to comply with RFC 7231. If updating is not immediately possible, avoid sending DELETE requests with invalid or non-existent polAssoId values to the PCF until the patch is applied. [1, 2]