CVE-2025-69250
Information Disclosure via Error Message Leak in free5gc UDM
Publication date: 2026-02-24
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| free5gc | udm | to 1.4.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-754 | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-69250 is an Improper Error Handling vulnerability found in the Unified Data Management (UDM) component of free5GC, an open-source 5G mobile core network project. In versions up to 1.4.1, the UDM service leaks detailed internal error messages, such as parsing errors related to invalid pduSessionId inputs, to remote clients. This occurs specifically in the Nudm_UECM DELETE API when processing malformed or out-of-range pduSessionId parameters.
The vulnerability arises because the service returns HTTP 500 Internal Server Errors with detailed internal error messages instead of proper client error responses (like 4xx errors) when invalid inputs are provided. This exposes implementation details that can be exploited for service fingerprinting and potentially other attacks.
The issue was fixed by enhancing input validation to ensure pduSessionId values are numeric and within the valid range, validating UE IDs, and improving error handling to avoid leaking internal details. The fix was implemented in pull request #76 and users are advised to apply the official patch as no direct application-level workaround exists.
How can this vulnerability impact me? :
This vulnerability can impact you by exposing detailed internal error messages to remote clients when invalid inputs are sent to the UDM Nudm_UECM DELETE service. Such information leakage reveals implementation details of the system.
Attackers can use this information for service fingerprinting, which may aid in crafting more targeted attacks against the free5GC deployment.
Additionally, the improper error handling causing HTTP 500 responses instead of proper client error codes can lead to instability or unexpected behavior in the service, potentially affecting reliability.
Since no direct application-level workaround exists, the vulnerability requires applying the official patch to mitigate these risks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending specially crafted DELETE requests to the Nudm_UECM endpoint with invalid pduSessionId inputs and observing the responses.'}, {'type': 'list_item', 'content': 'Send DELETE requests with numeric pduSessionId values exceeding the 32-bit signed integer range (e.g., 2147483648) and check if the server returns HTTP 500 Internal Server Error with detailed parsing error messages.'}, {'type': 'list_item', 'content': 'Send DELETE requests with non-numeric or malformed pduSessionId values (e.g., long alphanumeric strings) and verify if the server responds with HTTP 500 errors exposing internal error details.'}, {'type': 'list_item', 'content': 'Test query parameters such as smf-instance-id with invalid formats (e.g., incorrect UUIDs) and repeated invalid parameters to see if they trigger improper error handling.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability:'}, {'type': 'list_item', 'content': 'curl -X DELETE "http://<free5gc-udm-host>/nudm-uecm/v1/ue-contexts/invalid_pduSessionId"'}, {'type': 'list_item', 'content': 'Replace invalid_pduSessionId with values like 2147483648 or a long non-numeric string to trigger the error.'}, {'type': 'paragraph', 'content': 'If the server returns HTTP 500 responses with detailed internal error messages such as \'strconv.ParseInt: parsing "2147483648": value out of range\' or \'strconv.ParseInt: parsing "u0panv2z8mb2...": invalid syntax\', the vulnerability is present.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to apply the official patch that fixes the input validation issues in the free5GC UDM component.
Upgrade free5GC to a version that includes the fix from pull request #76, which enhances input validation for pduSessionId and other parameters, preventing improper error handling and service crashes.
No direct application-level workarounds are available, so patching is strongly recommended.
After patching, verify that the UDM service properly validates inputs and returns appropriate 4xx client error responses instead of 500 errors with internal details.