CVE-2025-66720
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-23

Last updated on: 2026-02-11

Assigner: MITRE

Description
Null pointer dereference in free5gc pcf 1.4.0 in file internal/sbi/processor/ampolicy.go in function HandleDeletePoliciesPolAssoId.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-23
Last Modified
2026-02-11
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-14
NVD
CVE-2025-66720
EUVD
EUVD-2026-4247
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
free5gc pcf 1.4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-66720 is a vulnerability in the free5gc PCF (Policy Control Function) component caused by missing nil checks before deleting entries in a map. Specifically, in the function HandleDeletePoliciesPolAssoId, the code attempts to delete a policy association from the AMPolicyData map without verifying if the user equipment object (ue) or the specific AMPolicyData entry is nil. If either is nil, this leads to a nil pointer dereference, causing a runtime panic and potentially incorrect HTTP responses. The issue was fixed by adding conditional checks to return early if nil values are detected, preventing the invalid delete operation and ensuring proper HTTP response behavior. [1, 2]

Impact Analysis

This vulnerability can cause the free5gc PCF component to crash or panic due to a nil pointer dereference when handling deletion requests for policy associations. This can lead to service disruption or denial of service, as the component may fail to respond correctly or terminate unexpectedly. Additionally, it can result in improper HTTP responses being sent to clients, which may affect the reliability and correctness of the system's API behavior. [1, 2]

Detection Guidance

This vulnerability can be detected by attempting to reproduce the nil pointer dereference panic in the free5gc PCF component. Specifically, you can send a DELETE request to the PCF endpoint with an invalid or non-existent policy association ID (polAssoId) using a valid OAuth2 access token. If the vulnerability is present, the PCF logs will show a panic due to nil pointer dereference. Example command using curl: 1. Obtain a valid access token via OAuth2 client credentials grant. 2. Send a DELETE request with an invalid polAssoId: curl -X DELETE -H "Authorization: Bearer <access_token>" https://<pcf_endpoint>/policies/<invalid_polAssoId> Observe the PCF logs for panic messages indicating nil pointer dereference. This confirms the presence of the vulnerability. [2]

Mitigation Strategies

To mitigate this vulnerability immediately, update the free5gc PCF component to include the fix that adds proper nil checks before deleting entries in the AMPolicyData map. Specifically, ensure that the function HandleDeletePoliciesPolAssoId returns immediately after detecting nil ue or nil AMPolicyData[polAssoId] to prevent nil pointer dereference. Additionally, modify the HTTP 204 No Content response to use c.Status(http.StatusNoContent) instead of c.JSON to comply with RFC 7231. If updating is not immediately possible, avoid sending DELETE requests with invalid or non-existent polAssoId values to the PCF until the patch is applied. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66720. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart