CVE-2025-69250
Received Received - Intake
Information Disclosure via Error Message Leak in free5gc UDM

Publication date: 2026-02-24

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, the service reliably leaks detailed internal error messages (e.g., strconv.ParseInt parsing errors) to remote clients when processing invalid pduSessionId inputs. This exposes implementation details and can be used for service fingerprinting. All deployments of free5GC using the UDM Nudm_UECM DELETE service may be vulnerable. free5gc/udm pull request 76 contains a fix for the issue. No direct workaround is available at the application level. Applying the official patch is recommended.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-15
NVD
CVE-2025-69250
EUVD
EUVD-2025-207567
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
free5gc udm to 1.4.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-69250 is an Improper Error Handling vulnerability found in the Unified Data Management (UDM) component of free5GC, an open-source 5G mobile core network project. In versions up to 1.4.1, the UDM service leaks detailed internal error messages, such as parsing errors related to invalid pduSessionId inputs, to remote clients. This occurs specifically in the Nudm_UECM DELETE API when processing malformed or out-of-range pduSessionId parameters.

The vulnerability arises because the service returns HTTP 500 Internal Server Errors with detailed internal error messages instead of proper client error responses (like 4xx errors) when invalid inputs are provided. This exposes implementation details that can be exploited for service fingerprinting and potentially other attacks.

The issue was fixed by enhancing input validation to ensure pduSessionId values are numeric and within the valid range, validating UE IDs, and improving error handling to avoid leaking internal details. The fix was implemented in pull request #76 and users are advised to apply the official patch as no direct application-level workaround exists.

Impact Analysis

This vulnerability can impact you by exposing detailed internal error messages to remote clients when invalid inputs are sent to the UDM Nudm_UECM DELETE service. Such information leakage reveals implementation details of the system.

Attackers can use this information for service fingerprinting, which may aid in crafting more targeted attacks against the free5GC deployment.

Additionally, the improper error handling causing HTTP 500 responses instead of proper client error codes can lead to instability or unexpected behavior in the service, potentially affecting reliability.

Since no direct application-level workaround exists, the vulnerability requires applying the official patch to mitigate these risks.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending specially crafted DELETE requests to the Nudm_UECM endpoint with invalid pduSessionId inputs and observing the responses.'}, {'type': 'list_item', 'content': 'Send DELETE requests with numeric pduSessionId values exceeding the 32-bit signed integer range (e.g., 2147483648) and check if the server returns HTTP 500 Internal Server Error with detailed parsing error messages.'}, {'type': 'list_item', 'content': 'Send DELETE requests with non-numeric or malformed pduSessionId values (e.g., long alphanumeric strings) and verify if the server responds with HTTP 500 errors exposing internal error details.'}, {'type': 'list_item', 'content': 'Test query parameters such as smf-instance-id with invalid formats (e.g., incorrect UUIDs) and repeated invalid parameters to see if they trigger improper error handling.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability:'}, {'type': 'list_item', 'content': 'curl -X DELETE "http://<free5gc-udm-host>/nudm-uecm/v1/ue-contexts/invalid_pduSessionId"'}, {'type': 'list_item', 'content': 'Replace invalid_pduSessionId with values like 2147483648 or a long non-numeric string to trigger the error.'}, {'type': 'paragraph', 'content': 'If the server returns HTTP 500 responses with detailed internal error messages such as \'strconv.ParseInt: parsing "2147483648": value out of range\' or \'strconv.ParseInt: parsing "u0panv2z8mb2...": invalid syntax\', the vulnerability is present.'}] [2]

Mitigation Strategies

The primary mitigation step is to apply the official patch that fixes the input validation issues in the free5GC UDM component.

Upgrade free5GC to a version that includes the fix from pull request #76, which enhances input validation for pduSessionId and other parameters, preventing improper error handling and service crashes.

No direct application-level workarounds are available, so patching is strongly recommended.

After patching, verify that the UDM service properly validates inputs and returns appropriate 4xx client error responses instead of 500 errors with internal details.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69250. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart