{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/nrfv4.2.1/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["nrf:v4.2.1","go/github.com/free5gc/nrf (\u003c 1.4.3)"],"_cs_severities":["high"],"_cs_tags":["type-confusion","denial-of-service","free5GC"],"_cs_type":"advisory","_cs_vendors":["free5GC"],"content_html":"\u003cp\u003eA type confusion vulnerability exists in the free5GC NRF (Network Repository Function) version 4.2.1, specifically within the \u003ccode\u003e/oauth2/token\u003c/code\u003e endpoint. This endpoint, which is intentionally unauthenticated as it is the OAuth2 token issuance endpoint, is susceptible to a parser-level bug. The vulnerability lies in how the \u003ccode\u003eNFs/nrf/internal/sbi/api_accesstoken.go\u003c/code\u003e handler processes incoming form data. The handler uses reflection on the \u003ccode\u003emodels.NrfAccessTokenAccessTokenReq\u003c/code\u003e struct, but incorrectly treats most fields as \u003ccode\u003emodels.PlmnId\u003c/code\u003e types. This leads to a panic when the parsed value is assigned to a field with an incompatible type, such as slices or different struct pointers. Although the Gin recovery mechanism catches the panic, converting it to an HTTP 500 error, the endpoint remains vulnerable to repeated denial-of-service attacks via single, unauthenticated form-encoded POST requests. This issue affects free5GC version 4.2.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker sends an HTTP POST request to the \u003ccode\u003e/oauth2/token\u003c/code\u003e endpoint of the free5GC NRF at \u003ccode\u003ehttp://10.100.200.3:8000\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003eContent-Type\u003c/code\u003e header set to \u003ccode\u003eapplication/x-www-form-urlencoded\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request body contains a URL-encoded parameter, such as \u003ccode\u003erequesterPlmnList\u003c/code\u003e, \u003ccode\u003erequesterSnssaiList\u003c/code\u003e, \u003ccode\u003erequesterSnpnList\u003c/code\u003e, \u003ccode\u003etargetSnpn\u003c/code\u003e, \u003ccode\u003etargetSnssaiList\u003c/code\u003e, or \u003ccode\u003etargetNsiList\u003c/code\u003e, with a value intended to trigger the type confusion. For example: \u003ccode\u003erequesterPlmnList={\u0026quot;mcc\u0026quot;:\u0026quot;208\u0026quot;,\u0026quot;mnc\u0026quot;:\u0026quot;93\u0026quot;}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe NRF\u0026rsquo;s \u003ccode\u003eapi_accesstoken.go\u003c/code\u003e handler parses the form data and reflects over the \u003ccode\u003emodels.NrfAccessTokenAccessTokenReq\u003c/code\u003e struct.\u003c/li\u003e\n\u003cli\u003eDue to incorrect type handling, the handler attempts to assign a value of type \u003ccode\u003e*models.PlmnId\u003c/code\u003e to a field of an incompatible type (e.g., \u003ccode\u003e[]models.PlmnId\u003c/code\u003e for the \u003ccode\u003erequesterPlmnList\u003c/code\u003e field).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ereflect.Set\u003c/code\u003e operation panics due to the type mismatch.\u003c/li\u003e\n\u003cli\u003eThe Gin recovery middleware catches the panic and converts it into an HTTP 500 Internal Server Error.\u003c/li\u003e\n\u003cli\u003eThe NRF process continues to run, but the specific request is not processed successfully, and an error message is logged.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe type confusion vulnerability (CWE-843) in the \u003ccode\u003e/oauth2/token\u003c/code\u003e endpoint allows an attacker to cause a denial-of-service (DoS) condition by sending crafted requests. Although the Gin recovery mechanism prevents the NRF process from crashing entirely, each malicious request consumes resources (CPU, log writes due to stack trace generation) and degrades the performance of the token issuance service. An attacker can repeatedly send these requests, potentially impacting legitimate clients and overwhelming the logs. The vulnerability affects free5GC version 4.2.1. There are at least 6 crashing fields which all crash due to the same root cause.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor webserver logs for HTTP POST requests to the \u003ccode\u003e/oauth2/token\u003c/code\u003e endpoint (IOC: \u003ccode\u003ehttp://10.100.200.3:8000/oauth2/token\u003c/code\u003e) containing parameters known to trigger the vulnerability (e.g., \u003ccode\u003erequesterPlmnList\u003c/code\u003e, \u003ccode\u003erequesterSnssaiList\u003c/code\u003e, \u003ccode\u003etargetSnpn\u003c/code\u003e) and deploy the \u0026ldquo;Detect free5GC NRF Type Confusion Attempt\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eApply the upstream patch available at \u003ccode\u003ehttps://github.com/free5gc/nrf/pull/83\u003c/code\u003e to address the vulnerability.\u003c/li\u003e\n\u003cli\u003eUpgrade the go/github.com/free5gc/nrf package to a version greater than or equal to 1.4.3 to remediate CVE-2026-44325.\u003c/li\u003e\n\u003cli\u003eImplement input validation on the \u003ccode\u003e/oauth2/token\u003c/code\u003e endpoint to ensure that the types of the request parameters match the expected types in the \u003ccode\u003emodels.NrfAccessTokenAccessTokenReq\u003c/code\u003e struct.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-09T14:00:00Z","date_published":"2026-05-09T14:00:00Z","id":"/briefs/2026-05-free5gc-nrf-type-confusion/","summary":"The free5GC NRF's /oauth2/token endpoint is vulnerable to a type confusion vulnerability due to incorrect parsing of form data, leading to a denial-of-service via unauthenticated requests.","title":"free5GC NRF Type Confusion Vulnerability in /oauth2/token Endpoint","url":"https://feed.craftedsignal.io/briefs/2026-05-free5gc-nrf-type-confusion/"}],"language":"en","title":"CraftedSignal Threat Feed — Nrf:v4.2.1","version":"https://jsonfeed.org/version/1.1"}