Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-33065 is a vulnerability in the free5GC project\'s UDM (Unified Data Management) component affecting versions prior to 1.4.2. The issue arises when the UDM handles DELETE requests on the sdm-subscriptions endpoint with an empty supi path parameter (e.g., a URL containing double slashes "//"). In this case, the UDM forwards the malformed request to the UDR (Unified Data Repository), which correctly responds with a 400 Bad Request error. However, the UDM incorrectly converts this 400 error into a 500 Internal Server Error (SYSTEM_FAILURE) before returning it to the client.'}, {'type': 'paragraph', 'content': 'This improper error handling leaks internal error details and violates REST API best practices by obscuring client-side errors as server-side failures. As a result, clients cannot easily distinguish between errors caused by their requests and actual server problems, complicating error diagnosis and handling.'}, {'type': 'paragraph', 'content': 'The vulnerability was patched in version 1.4.2 by adding input validation to prevent empty or malformed supi parameters from causing this error conversion.'}] [1, 3]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can impact users and clients interacting with the free5GC UDM service by causing confusion and difficulty in error handling. Specifically, when a client sends a malformed DELETE request with an empty supi parameter, instead of receiving a clear 400 Bad Request response indicating a client-side error, the client receives a 500 Internal Server Error indicating a server-side failure.

This misrepresentation can lead to:

• Difficulty in diagnosing whether the error is due to client input or server malfunction.
• Potentially unnecessary troubleshooting or escalation of issues perceived as server faults.
• Complications in automated error handling or retry logic that depends on accurate HTTP status codes.

There is no direct application-level workaround, but implementing API gateway validation to reject DELETE requests with empty path parameters before they reach the UDM is recommended.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending a DELETE request to the free5GC UDM Nudm_SDM sdm-subscriptions endpoint with an empty supi path parameter (represented by double slashes "//" in the URL path). If the UDM incorrectly returns a 500 Internal Server Error instead of a 400 Bad Request, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'A suggested command to test this behavior is:'}, {'type': 'list_item', 'content': 'curl -v -X DELETE "http://127.0.0.3:8000/nudm-sdm/v2//sdm-subscriptions/1" -H "Accept: application/json"'}, {'type': 'paragraph', 'content': 'If the response is a 500 Internal Server Error, it indicates the vulnerability exists. The expected correct behavior is a 400 Bad Request response.'}] [3]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The primary mitigation is to upgrade free5GC to version 1.4.2 or later, where the vulnerability has been patched by adding strict validation of subscriber identifiers in the UDM component.

If immediate upgrade is not possible, it is recommended to implement API gateway validation to reject DELETE requests with empty supi path parameters before they reach the UDM service.

No direct application-level workaround exists within free5GC versions prior to 1.4.2, so network-level filtering or input validation is advised to prevent malformed requests.

Useful 0 Not Useful 0