Free5GC

free5GC's NEF nnef-pfdmanagement API is vulnerable to unauthenticated access, allowing attackers with network access to read PFD data and create/delete PFD subscriptions by using forged bearer tokens due to the absence of inbound OAuth2/bearer-token authorization.

free5GC's Session Management Function (SMF) UPI interface lacks authentication, allowing unauthenticated network attackers to read/write/delete UP-node and link topology data via exposed APIs.

The free5GC NRF's /oauth2/token endpoint is vulnerable to a type confusion vulnerability due to incorrect parsing of form data, leading to a denial-of-service via unauthenticated requests.

A nil pointer dereference vulnerability exists in free5GC's NEF PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId} handler when UDR access fails, causing a denial-of-service condition.

free5GC's SMF is vulnerable to an unauthenticated denial-of-service attack where a crafted POST request to the `/upi/v1/upNodesLinks` endpoint can trigger a `Fatalf` call, terminating the entire SMF process, effectively disrupting network services.

The free5GC UDM component fails to validate the `supi` path parameter in six GET handlers, allowing an unauthenticated attacker to inject control characters and trigger a `500 Internal Server Error` that exposes internal infrastructure details.

A nil-pointer dereference vulnerability exists in free5GC's PCF when handling POST requests to `/npcf-smpolicycontrol/v1/sm-policies`. When a downstream UDR lookup returns a 404 error, the handler continues execution instead of returning, leading to a nil response struct dereference and a panic. This results in an HTTP 500 error for the request, but the PCF process continues running. The vulnerability is triggered by sending a POST request with input that causes the downstream UDR lookup to fail, such as an unknown DNN. This issue affects free5GC versions v4.1.0 and v4.2.1.

Free5GC PCF versions prior to 1.4.3 are vulnerable to an authentication bypass due to missing middleware, allowing unauthenticated access to SM policy handlers and disclosure of subscriber SUPI.

free5GC NEF v4.2.1 exposes an unauthenticated callback route group, enabling attackers to forge SMF callbacks and potentially corrupt AF traffic-influence or PFD-management subscription views, leading to unauthorized policy changes.

free5GC's NEF component is vulnerable to a denial-of-service attack where an attacker can create a PFD subscription with an attacker-controlled `notifyUri`, and when a PFD change is triggered, NEF attempts to deliver a notification to the specified URI, and if the URI is unreachable, NEF terminates the entire process, causing a service outage, and this can be triggered without authentication in version 4.2.1, making it easily exploitable.

free5GC's SMF is vulnerable to an unauthenticated denial-of-service attack where a crafted DELETE request to the /upi/v1/upNodesLinks/{ref} endpoint triggers a nil-pointer dereference, causing a panic and mutating the in-memory user-plane topology, impacting the selection of UPFs for legitimate UE sessions.