Search criteria
271 vulnerabilities found for open5gs by open5gs
CVE-2025-15419 (GCVE-0-2025-15419)
Vulnerability from nvd – Published: 2026-01-02 00:02 – Updated: 2026-01-05 05:36 X_Open Source
VLAI?
Title
Open5GS GTPv2-C Flow s5c-handler.c sgwc_s5c_handle_create_session_response denial of service
Summary
A weakness has been identified in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c of the component GTPv2-C Flow Handler. Executing a manipulation can lead to denial of service. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. This patch is called 5aaa09907e7b9e0a326265a5f08d56f54280b5f2. It is advisable to implement a patch to correct this issue.
Severity ?
CWE
- CWE-404 - Denial of Service
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
Credits
LinZiyu (VulDB User)
LinZiyu (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15419",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-02T19:03:31.980018Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T19:04:02.955Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"GTPv2-C Flow Handler"
],
"product": "Open5GS",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.7.0"
},
{
"status": "affected",
"version": "2.7.1"
},
{
"status": "affected",
"version": "2.7.2"
},
{
"status": "affected",
"version": "2.7.3"
},
{
"status": "affected",
"version": "2.7.4"
},
{
"status": "affected",
"version": "2.7.5"
},
{
"status": "affected",
"version": "2.7.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "LinZiyu (VulDB User)"
},
{
"lang": "en",
"type": "analyst",
"value": "LinZiyu (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c of the component GTPv2-C Flow Handler. Executing a manipulation can lead to denial of service. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. This patch is called 5aaa09907e7b9e0a326265a5f08d56f54280b5f2. It is advisable to implement a patch to correct this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.7,
"vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T05:36:52.925Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-339341 | Open5GS GTPv2-C Flow s5c-handler.c sgwc_s5c_handle_create_session_response denial of service",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.339341"
},
{
"name": "VDB-339341 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.339341"
},
{
"name": "Submit #728044 | Open5GS SGWC v2.7.6 Denial of Service",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.728044"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4224"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4224#issuecomment-3698521008"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4224#issue-3766767406"
},
{
"tags": [
"patch"
],
"url": "https://github.com/open5gs/open5gs/commit/5aaa09907e7b9e0a326265a5f08d56f54280b5f2"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-01-01T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-01-01T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-01-05T06:41:44.000Z",
"value": "VulDB entry last update"
}
],
"title": "Open5GS GTPv2-C Flow s5c-handler.c sgwc_s5c_handle_create_session_response denial of service"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-15419",
"datePublished": "2026-01-02T00:02:08.406Z",
"dateReserved": "2026-01-01T10:57:11.786Z",
"dateUpdated": "2026-01-05T05:36:52.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15418 (GCVE-0-2025-15418)
Vulnerability from nvd – Published: 2026-01-01 23:32 – Updated: 2026-01-05 21:50 X_Open Source
VLAI?
Title
Open5GS Bearer QoS IE Length types.c ogs_gtp2_parse_bearer_qos denial of service
Summary
A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function ogs_gtp2_parse_bearer_qos in the library lib/gtp/v2/types.c of the component Bearer QoS IE Length Handler. Performing manipulation results in denial of service. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is named 4e913d21f2c032b187815f063dbab5ebe65fe83a. To fix this issue, it is recommended to deploy a patch.
Severity ?
CWE
- CWE-404 - Denial of Service
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
Credits
LinZiyu (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15418",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-05T20:47:50.587899Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T21:50:43.884Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open5gs/open5gs/issues/4217#issue-3759615968"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/open5gs/open5gs/issues/4217#issuecomment-3690767105"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/open5gs/open5gs/issues/4217"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Bearer QoS IE Length Handler"
],
"product": "Open5GS",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.7.0"
},
{
"status": "affected",
"version": "2.7.1"
},
{
"status": "affected",
"version": "2.7.2"
},
{
"status": "affected",
"version": "2.7.3"
},
{
"status": "affected",
"version": "2.7.4"
},
{
"status": "affected",
"version": "2.7.5"
},
{
"status": "affected",
"version": "2.7.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "LinZiyu (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function ogs_gtp2_parse_bearer_qos in the library lib/gtp/v2/types.c of the component Bearer QoS IE Length Handler. Performing manipulation results in denial of service. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is named 4e913d21f2c032b187815f063dbab5ebe65fe83a. To fix this issue, it is recommended to deploy a patch."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.7,
"vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-01T23:32:07.646Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-339340 | Open5GS Bearer QoS IE Length types.c ogs_gtp2_parse_bearer_qos denial of service",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.339340"
},
{
"name": "VDB-339340 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.339340"
},
{
"name": "Submit #728043 | Open5GS SGWC v2.7.6 Denial of Service",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.728043"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4217"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4217#issuecomment-3690767105"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4217#issue-3759615968"
},
{
"tags": [
"patch"
],
"url": "https://github.com/open5gs/open5gs/commit/4e913d21f2c032b187815f063dbab5ebe65fe83a"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-01-01T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-01-01T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-01-01T12:02:16.000Z",
"value": "VulDB entry last update"
}
],
"title": "Open5GS Bearer QoS IE Length types.c ogs_gtp2_parse_bearer_qos denial of service"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-15418",
"datePublished": "2026-01-01T23:32:07.646Z",
"dateReserved": "2026-01-01T10:57:04.431Z",
"dateUpdated": "2026-01-05T21:50:43.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15417 (GCVE-0-2025-15417)
Vulnerability from nvd – Published: 2026-01-01 23:02 – Updated: 2026-01-06 14:33 X_Open Source
VLAI?
Title
Open5GS GTPv2-C F-TEID s11-handler.c sgwc_s11_handle_create_session_request denial of service
Summary
A vulnerability was identified in Open5GS up to 2.7.6. Affected is the function sgwc_s11_handle_create_session_request of the file src/sgwc/s11-handler.c of the component GTPv2-C F-TEID Handler. Such manipulation leads to denial of service. The attack must be carried out locally. The exploit is publicly available and might be used. The name of the patch is 465273d13ba5d47b274c38c9d1b07f04859178a1. A patch should be applied to remediate this issue.
Severity ?
CWE
- CWE-404 - Denial of Service
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
Credits
ZiyuLin (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15417",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-06T14:33:01.789954Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T14:33:18.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open5gs/open5gs/issues/4203#issue-3719257558"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"GTPv2-C F-TEID Handler"
],
"product": "Open5GS",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.7.0"
},
{
"status": "affected",
"version": "2.7.1"
},
{
"status": "affected",
"version": "2.7.2"
},
{
"status": "affected",
"version": "2.7.3"
},
{
"status": "affected",
"version": "2.7.4"
},
{
"status": "affected",
"version": "2.7.5"
},
{
"status": "affected",
"version": "2.7.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ZiyuLin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in Open5GS up to 2.7.6. Affected is the function sgwc_s11_handle_create_session_request of the file src/sgwc/s11-handler.c of the component GTPv2-C F-TEID Handler. Such manipulation leads to denial of service. The attack must be carried out locally. The exploit is publicly available and might be used. The name of the patch is 465273d13ba5d47b274c38c9d1b07f04859178a1. A patch should be applied to remediate this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.7,
"vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-01T23:02:07.030Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-339339 | Open5GS GTPv2-C F-TEID s11-handler.c sgwc_s11_handle_create_session_request denial of service",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.339339"
},
{
"name": "VDB-339339 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.339339"
},
{
"name": "Submit #727616 | Open5GS SGWC v2.7.6 Denial of Service",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.727616"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4203"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4203#issuecomment-3681643498"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4203#issue-3719257558"
},
{
"tags": [
"patch"
],
"url": "https://github.com/open5gs/open5gs/commit/465273d13ba5d47b274c38c9d1b07f04859178a1"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-01-01T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-01-01T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-01-01T11:56:16.000Z",
"value": "VulDB entry last update"
}
],
"title": "Open5GS GTPv2-C F-TEID s11-handler.c sgwc_s11_handle_create_session_request denial of service"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-15417",
"datePublished": "2026-01-01T23:02:07.030Z",
"dateReserved": "2026-01-01T10:50:23.624Z",
"dateUpdated": "2026-01-06T14:33:18.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15176 (GCVE-0-2025-15176)
Vulnerability from nvd – Published: 2025-12-29 06:32 – Updated: 2025-12-29 14:38 X_Open Source
VLAI?
Title
Open5GS PFCP Session Establishment Request rule-match.c ogs_pfcp_pdr_rule_find_by_packet assertion
Summary
A flaw has been found in Open5GS up to 2.7.5. This affects the function decode_ipv6_header/ogs_pfcp_pdr_rule_find_by_packet of the file lib/pfcp/rule-match.c of the component PFCP Session Establishment Request Handler. Executing manipulation can lead to reachable assertion. It is possible to launch the attack remotely. The exploit has been published and may be used. This patch is called b72d8349980076e2c033c8324f07747a86eea4f8. Applying a patch is advised to resolve this issue.
Severity ?
CWE
- CWE-617 - Reachable Assertion
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
Credits
ZiyuLin (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15176",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-29T14:38:27.407041Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T14:38:33.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"PFCP Session Establishment Request Handler"
],
"product": "Open5GS",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.7.0"
},
{
"status": "affected",
"version": "2.7.1"
},
{
"status": "affected",
"version": "2.7.2"
},
{
"status": "affected",
"version": "2.7.3"
},
{
"status": "affected",
"version": "2.7.4"
},
{
"status": "affected",
"version": "2.7.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ZiyuLin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in Open5GS up to 2.7.5. This affects the function decode_ipv6_header/ogs_pfcp_pdr_rule_find_by_packet of the file lib/pfcp/rule-match.c of the component PFCP Session Establishment Request Handler. Executing manipulation can lead to reachable assertion. It is possible to launch the attack remotely. The exploit has been published and may be used. This patch is called b72d8349980076e2c033c8324f07747a86eea4f8. Applying a patch is advised to resolve this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T06:32:06.957Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-338561 | Open5GS PFCP Session Establishment Request rule-match.c ogs_pfcp_pdr_rule_find_by_packet assertion",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.338561"
},
{
"name": "VDB-338561 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.338561"
},
{
"name": "Submit #719830 | Open5GS v2.7.5 Reachable Assertion",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.719830"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4180"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4180#issuecomment-3615555671"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4180#issue-3666760066"
},
{
"tags": [
"patch"
],
"url": "https://github.com/open5gs/open5gs/commit/b72d8349980076e2c033c8324f07747a86eea4f8"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2025-12-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-12-28T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-12-28T10:18:50.000Z",
"value": "VulDB entry last update"
}
],
"title": "Open5GS PFCP Session Establishment Request rule-match.c ogs_pfcp_pdr_rule_find_by_packet assertion"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-15176",
"datePublished": "2025-12-29T06:32:06.957Z",
"dateReserved": "2025-12-28T08:25:27.283Z",
"dateUpdated": "2025-12-29T14:38:33.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14955 (GCVE-0-2025-14955)
Vulnerability from nvd – Published: 2025-12-19 16:32 – Updated: 2025-12-19 18:00 X_Open Source
VLAI?
Title
Open5GS PFCP handler.c ogs_pfcp_handle_create_pdr initialization
Summary
A vulnerability was found in Open5GS up to 2.7.5. Affected by this vulnerability is the function ogs_pfcp_handle_create_pdr in the library lib/pfcp/handler.c of the component PFCP. The manipulation results in improper initialization. It is possible to launch the attack remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit has been made public and could be used. The patch is identified as 773117aa5472af26fc9f80e608d3386504c3bdb7. It is best practice to apply a patch to resolve this issue.
Severity ?
CWE
- CWE-665 - Improper Initialization
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
Credits
ZiyuLin (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14955",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T17:25:04.453035Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T18:00:47.567Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open5gs/open5gs/issues/4182"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/open5gs/open5gs/issues/4182#issue-3670797098"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/open5gs/open5gs/issues/4182#issuecomment-3616081878"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"PFCP"
],
"product": "Open5GS",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.7.0"
},
{
"status": "affected",
"version": "2.7.1"
},
{
"status": "affected",
"version": "2.7.2"
},
{
"status": "affected",
"version": "2.7.3"
},
{
"status": "affected",
"version": "2.7.4"
},
{
"status": "affected",
"version": "2.7.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ZiyuLin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Open5GS up to 2.7.5. Affected by this vulnerability is the function ogs_pfcp_handle_create_pdr in the library lib/pfcp/handler.c of the component PFCP. The manipulation results in improper initialization. It is possible to launch the attack remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit has been made public and could be used. The patch is identified as 773117aa5472af26fc9f80e608d3386504c3bdb7. It is best practice to apply a patch to resolve this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.6,
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-665",
"description": "Improper Initialization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T16:32:08.036Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-337591 | Open5GS PFCP handler.c ogs_pfcp_handle_create_pdr initialization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.337591"
},
{
"name": "VDB-337591 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.337591"
},
{
"name": "Submit #716841 | Open5GS v2.7.5 Reachable Assertion",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.716841"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4182"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4182#issuecomment-3616081878"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4182#issue-3670797098"
},
{
"tags": [
"patch"
],
"url": "https://github.com/open5gs/open5gs/commit/773117aa5472af26fc9f80e608d3386504c3bdb7"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2025-12-19T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-12-19T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-12-19T09:36:53.000Z",
"value": "VulDB entry last update"
}
],
"title": "Open5GS PFCP handler.c ogs_pfcp_handle_create_pdr initialization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-14955",
"datePublished": "2025-12-19T16:32:08.036Z",
"dateReserved": "2025-12-19T08:31:39.061Z",
"dateUpdated": "2025-12-19T18:00:47.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14954 (GCVE-0-2025-14954)
Vulnerability from nvd – Published: 2025-12-19 16:02 – Updated: 2025-12-28 09:30 X_Open Source
VLAI?
Title
Open5GS QER/FAR/URR/PDR context.c ogs_pfcp_qer_find_or_add assertion
Summary
A vulnerability has been found in Open5GS up to 2.7.6. Affected is the function ogs_pfcp_pdr_find_or_add/ogs_pfcp_far_find_or_add/ogs_pfcp_urr_find_or_add/ogs_pfcp_qer_find_or_add in the library lib/pfcp/context.c of the component QER/FAR/URR/PDR. The manipulation leads to reachable assertion. It is possible to initiate the attack remotely. The attack's complexity is rated as high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 442369dcd964f03d95429a6a01a57ed21f7779b7. Applying a patch is the recommended action to fix this issue.
Severity ?
CWE
- CWE-617 - Reachable Assertion
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
Credits
ZiyuLin (VulDB User)
ZiyuLin (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14954",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T16:31:30.704132Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T16:31:41.201Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"QER/FAR/URR/PDR"
],
"product": "Open5GS",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.7.0"
},
{
"status": "affected",
"version": "2.7.1"
},
{
"status": "affected",
"version": "2.7.2"
},
{
"status": "affected",
"version": "2.7.3"
},
{
"status": "affected",
"version": "2.7.4"
},
{
"status": "affected",
"version": "2.7.5"
},
{
"status": "affected",
"version": "2.7.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ZiyuLin (VulDB User)"
},
{
"lang": "en",
"type": "analyst",
"value": "ZiyuLin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in Open5GS up to 2.7.6. Affected is the function ogs_pfcp_pdr_find_or_add/ogs_pfcp_far_find_or_add/ogs_pfcp_urr_find_or_add/ogs_pfcp_qer_find_or_add in the library lib/pfcp/context.c of the component QER/FAR/URR/PDR. The manipulation leads to reachable assertion. It is possible to initiate the attack remotely. The attack\u0027s complexity is rated as high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 442369dcd964f03d95429a6a01a57ed21f7779b7. Applying a patch is the recommended action to fix this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.6,
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-28T09:30:08.899Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-337590 | Open5GS QER/FAR/URR/PDR context.c ogs_pfcp_qer_find_or_add assertion",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.337590"
},
{
"name": "VDB-337590 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.337590"
},
{
"name": "Submit #716810 | Open5GS v2.7.5 CWE-617 Reachable Assertion",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.716810"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4181"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4181#issuecomment-3615646842"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4181#issue-3667069101"
},
{
"tags": [
"patch"
],
"url": "https://github.com/open5gs/open5gs/commit/442369dcd964f03d95429a6a01a57ed21f7779b7"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2025-12-19T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-12-19T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-12-28T10:34:52.000Z",
"value": "VulDB entry last update"
}
],
"title": "Open5GS QER/FAR/URR/PDR context.c ogs_pfcp_qer_find_or_add assertion"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-14954",
"datePublished": "2025-12-19T16:02:11.110Z",
"dateReserved": "2025-12-19T08:31:35.484Z",
"dateUpdated": "2025-12-28T09:30:08.899Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14953 (GCVE-0-2025-14953)
Vulnerability from nvd – Published: 2025-12-19 16:02 – Updated: 2025-12-19 16:32 X_Open Source
VLAI?
Title
Open5GS FAR-ID handler.c ogs_pfcp_handle_create_pdr null pointer dereference
Summary
A flaw has been found in Open5GS up to 2.7.5. This impacts the function ogs_pfcp_handle_create_pdr in the library lib/pfcp/handler.c of the component FAR-ID Handler. Executing manipulation can lead to null pointer dereference. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is said to be difficult. The exploit has been published and may be used. This patch is called 93a9fd98a8baa94289be3b982028201de4534e32. It is advisable to implement a patch to correct this issue.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
Credits
ZiyuLin (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14953",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T16:32:32.036056Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T16:32:56.837Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"FAR-ID Handler"
],
"product": "Open5GS",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.7.0"
},
{
"status": "affected",
"version": "2.7.1"
},
{
"status": "affected",
"version": "2.7.2"
},
{
"status": "affected",
"version": "2.7.3"
},
{
"status": "affected",
"version": "2.7.4"
},
{
"status": "affected",
"version": "2.7.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ZiyuLin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in Open5GS up to 2.7.5. This impacts the function ogs_pfcp_handle_create_pdr in the library lib/pfcp/handler.c of the component FAR-ID Handler. Executing manipulation can lead to null pointer dereference. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is said to be difficult. The exploit has been published and may be used. This patch is called 93a9fd98a8baa94289be3b982028201de4534e32. It is advisable to implement a patch to correct this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.1,
"vectorString": "AV:N/AC:H/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T16:02:07.234Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-337589 | Open5GS FAR-ID handler.c ogs_pfcp_handle_create_pdr null pointer dereference",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.337589"
},
{
"name": "VDB-337589 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.337589"
},
{
"name": "Submit #716799 | Open5GS v2.7.5 Reachable Assertion",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.716799"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4179"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4179#issuecomment-3614868758"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4179#issue-3666399406"
},
{
"tags": [
"patch"
],
"url": "https://github.com/open5gs/open5gs/commit/93a9fd98a8baa94289be3b982028201de4534e32"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2025-12-19T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-12-19T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-12-19T09:36:45.000Z",
"value": "VulDB entry last update"
}
],
"title": "Open5GS FAR-ID handler.c ogs_pfcp_handle_create_pdr null pointer dereference"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-14953",
"datePublished": "2025-12-19T16:02:07.234Z",
"dateReserved": "2025-12-19T08:31:23.204Z",
"dateUpdated": "2025-12-19T16:32:56.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65559 (GCVE-0-2025-65559)
Vulnerability from nvd – Published: 2025-12-18 00:00 – Updated: 2025-12-19 18:01
VLAI?
Summary
An issue was discovered in Open5GS 2.7.5-49-g465e90f, when processing a PFCP Session Establishment Request (type=50), the UPF crashes with a reachable assertion in `lib/pfcp/context.c` (`ogs_pfcp_object_teid_hash_set`) if the CreatePDR?PDI?F-TEID has CH=1 and the F-TEID address-family flag(s) (IPv4/IPv6) do not match the GTP-U resource family configured for the selected DNN (Network Instance), resulting in a denial of service.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-65559",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T17:31:50.507865Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "CWE-617 Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T18:01:45.486Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open5gs/open5gs/issues/4135"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Open5GS 2.7.5-49-g465e90f, when processing a PFCP Session Establishment Request (type=50), the UPF crashes with a reachable assertion in `lib/pfcp/context.c` (`ogs_pfcp_object_teid_hash_set`) if the CreatePDR?PDI?F-TEID has CH=1 and the F-TEID address-family flag(s) (IPv4/IPv6) do not match the GTP-U resource family configured for the selected DNN (Network Instance), resulting in a denial of service."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T18:42:55.350Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/open5gs/open5gs/issues/4135"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-65559",
"datePublished": "2025-12-18T00:00:00.000Z",
"dateReserved": "2025-11-18T00:00:00.000Z",
"dateUpdated": "2025-12-19T18:01:45.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-63288 (GCVE-0-2025-63288)
Vulnerability from nvd – Published: 2025-11-10 00:00 – Updated: 2025-11-12 20:18
VLAI?
Summary
In Open5GS 2.7.6, AMF crashes when receiving an abnormal NGSetupRequest message, resulting in denial of service.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-63288",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T20:18:13.792350Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T20:18:35.968Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Open5GS 2.7.6, AMF crashes when receiving an abnormal NGSetupRequest message, resulting in denial of service."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T19:03:50.578Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/open5gs/open5gs/issues/4087"
},
{
"url": "https://github.com/open5gs/open5gs/commit/be765fe2b03e350836272eee5afb3931bdfb86d5"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-63288",
"datePublished": "2025-11-10T00:00:00.000Z",
"dateReserved": "2025-10-27T00:00:00.000Z",
"dateUpdated": "2025-11-12T20:18:35.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41068 (GCVE-0-2025-41068)
Vulnerability from nvd – Published: 2025-10-27 12:47 – Updated: 2025-10-29 10:28
VLAI?
Title
Reachable Assertion vulnerability in Open5GS
Summary
Reachable Assertion vulnerability in Open5GS up to version 2.7.6 allows attackers with connectivity to the NRF to cause a denial of service. This is achieved by sending the creation of an NF with an invalid type via SBI and then requesting its data. The NRF executes a check that crashes the process, leaving the discovery service unresponsive.
Severity ?
CWE
- CWE-617 - Reachable Assertion
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41068",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-27T15:08:40.899125Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T15:08:58.104Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Open5GS",
"vendor": "NewPlane",
"versions": [
{
"lessThanOrEqual": "2.7.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:newplane:open5gs:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2.7.5",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"datePublic": "2025-10-27T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Reachable Assertion vulnerability in Open5GS up to version 2.7.6 allows attackers with connectivity to the NRF to cause a denial of service. This is achieved by sending the creation of an NF with an invalid type via SBI and then requesting its data. The NRF executes a check that crashes the process, leaving the discovery service unresponsive."
}
],
"value": "Reachable Assertion vulnerability in Open5GS up to version 2.7.6 allows attackers with connectivity to the NRF to cause a denial of service. This is achieved by sending the creation of an NF with an invalid type via SBI and then requesting its data. The NRF executes a check that crashes the process, leaving the discovery service unresponsive."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "CWE-617 Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T10:28:05.622Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-newplanes-open5gs"
},
{
"tags": [
"patch"
],
"url": "https://open5gs.org/open5gs/release/2025/07/19/release-v2.7.6.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerabilitiy has been fixed by the Open5GS team in version v2.7.6."
}
],
"value": "The vulnerabilitiy has been fixed by the Open5GS team in version v2.7.6."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Reachable Assertion vulnerability in Open5GS",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-41068",
"datePublished": "2025-10-27T12:47:57.984Z",
"dateReserved": "2025-04-16T09:09:34.458Z",
"dateUpdated": "2025-10-29T10:28:05.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-41067 (GCVE-0-2025-41067)
Vulnerability from nvd – Published: 2025-10-27 12:47 – Updated: 2025-10-29 10:27
VLAI?
Title
Reachable Assertion vulnerability in Open5GS
Summary
Reachable Assertion vulnerability in Open5GS up to version 2.7.6 allows attackers with connectivity to the NRF to cause a denial of service. An SBI request that deletes the NRF's own registry causes a check that ends up crashing the NRF process and renders the discovery service unavailable.
Severity ?
CWE
- CWE-617 - Reachable Assertion
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41067",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-27T15:09:33.939113Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T15:09:47.594Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Open5GS",
"vendor": "NewPlane",
"versions": [
{
"lessThanOrEqual": "2.7.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:newplane:open5gs:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2.7.5",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"datePublic": "2025-10-27T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Reachable Assertion vulnerability in Open5GS up to version 2.7.6 allows attackers with connectivity to the NRF to cause a denial of service. An SBI request that deletes the NRF\u0027s own registry causes a check that ends up crashing the NRF process and renders the discovery service unavailable."
}
],
"value": "Reachable Assertion vulnerability in Open5GS up to version 2.7.6 allows attackers with connectivity to the NRF to cause a denial of service. An SBI request that deletes the NRF\u0027s own registry causes a check that ends up crashing the NRF process and renders the discovery service unavailable."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "CWE-617 Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T10:27:42.252Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-newplanes-open5gs"
},
{
"tags": [
"patch"
],
"url": "https://open5gs.org/open5gs/release/2025/07/19/release-v2.7.6.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerabilitiy has been fixed by the Open5GS team in version v2.7.6."
}
],
"value": "The vulnerabilitiy has been fixed by the Open5GS team in version v2.7.6."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Reachable Assertion vulnerability in Open5GS",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-41067",
"datePublished": "2025-10-27T12:47:32.364Z",
"dateReserved": "2025-04-16T09:09:34.457Z",
"dateUpdated": "2025-10-29T10:27:42.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55904 (GCVE-0-2025-55904)
Vulnerability from nvd – Published: 2025-09-17 00:00 – Updated: 2025-09-17 14:28
VLAI?
Summary
Open5GS v2.7.5, prior to commit 67ba7f92bbd7a378954895d96d9d7b05d5b64615, is vulnerable to a NULL pointer dereference when a multipart/related HTTP POST request with an empty HTTP body is sent to the SBI of either AMF, AUSF, BSF, NRF, NSSF, PCF, SMF, UDM, or UDR, resulting in a denial of service. This occurs in the parse_multipart function in lib/sbi/message.c.
Severity ?
4 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-55904",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T14:25:13.640980Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:28:46.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open5GS v2.7.5, prior to commit 67ba7f92bbd7a378954895d96d9d7b05d5b64615, is vulnerable to a NULL pointer dereference when a multipart/related HTTP POST request with an empty HTTP body is sent to the SBI of either AMF, AUSF, BSF, NRF, NSSF, PCF, SMF, UDM, or UDR, resulting in a denial of service. This occurs in the parse_multipart function in lib/sbi/message.c."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T13:48:18.473Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/open5gs/open5gs/commit/67ba7f92bbd7a378954895d96d9d7b05d5b64615"
},
{
"url": "https://github.com/open5gs/open5gs/issues/3942"
},
{
"url": "https://github.com/tsiamoulis/vuln-research/tree/main/CVE-2025-55904"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-55904",
"datePublished": "2025-09-17T00:00:00.000Z",
"dateReserved": "2025-08-16T00:00:00.000Z",
"dateUpdated": "2025-09-17T14:28:46.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-15419 (GCVE-0-2025-15419)
Vulnerability from cvelistv5 – Published: 2026-01-02 00:02 – Updated: 2026-01-05 05:36 X_Open Source
VLAI?
Title
Open5GS GTPv2-C Flow s5c-handler.c sgwc_s5c_handle_create_session_response denial of service
Summary
A weakness has been identified in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c of the component GTPv2-C Flow Handler. Executing a manipulation can lead to denial of service. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. This patch is called 5aaa09907e7b9e0a326265a5f08d56f54280b5f2. It is advisable to implement a patch to correct this issue.
Severity ?
CWE
- CWE-404 - Denial of Service
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
Credits
LinZiyu (VulDB User)
LinZiyu (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15419",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-02T19:03:31.980018Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T19:04:02.955Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"GTPv2-C Flow Handler"
],
"product": "Open5GS",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.7.0"
},
{
"status": "affected",
"version": "2.7.1"
},
{
"status": "affected",
"version": "2.7.2"
},
{
"status": "affected",
"version": "2.7.3"
},
{
"status": "affected",
"version": "2.7.4"
},
{
"status": "affected",
"version": "2.7.5"
},
{
"status": "affected",
"version": "2.7.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "LinZiyu (VulDB User)"
},
{
"lang": "en",
"type": "analyst",
"value": "LinZiyu (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c of the component GTPv2-C Flow Handler. Executing a manipulation can lead to denial of service. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. This patch is called 5aaa09907e7b9e0a326265a5f08d56f54280b5f2. It is advisable to implement a patch to correct this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.7,
"vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T05:36:52.925Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-339341 | Open5GS GTPv2-C Flow s5c-handler.c sgwc_s5c_handle_create_session_response denial of service",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.339341"
},
{
"name": "VDB-339341 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.339341"
},
{
"name": "Submit #728044 | Open5GS SGWC v2.7.6 Denial of Service",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.728044"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4224"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4224#issuecomment-3698521008"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4224#issue-3766767406"
},
{
"tags": [
"patch"
],
"url": "https://github.com/open5gs/open5gs/commit/5aaa09907e7b9e0a326265a5f08d56f54280b5f2"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-01-01T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-01-01T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-01-05T06:41:44.000Z",
"value": "VulDB entry last update"
}
],
"title": "Open5GS GTPv2-C Flow s5c-handler.c sgwc_s5c_handle_create_session_response denial of service"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-15419",
"datePublished": "2026-01-02T00:02:08.406Z",
"dateReserved": "2026-01-01T10:57:11.786Z",
"dateUpdated": "2026-01-05T05:36:52.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15418 (GCVE-0-2025-15418)
Vulnerability from cvelistv5 – Published: 2026-01-01 23:32 – Updated: 2026-01-05 21:50 X_Open Source
VLAI?
Title
Open5GS Bearer QoS IE Length types.c ogs_gtp2_parse_bearer_qos denial of service
Summary
A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function ogs_gtp2_parse_bearer_qos in the library lib/gtp/v2/types.c of the component Bearer QoS IE Length Handler. Performing manipulation results in denial of service. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is named 4e913d21f2c032b187815f063dbab5ebe65fe83a. To fix this issue, it is recommended to deploy a patch.
Severity ?
CWE
- CWE-404 - Denial of Service
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
Credits
LinZiyu (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15418",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-05T20:47:50.587899Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T21:50:43.884Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open5gs/open5gs/issues/4217#issue-3759615968"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/open5gs/open5gs/issues/4217#issuecomment-3690767105"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/open5gs/open5gs/issues/4217"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Bearer QoS IE Length Handler"
],
"product": "Open5GS",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.7.0"
},
{
"status": "affected",
"version": "2.7.1"
},
{
"status": "affected",
"version": "2.7.2"
},
{
"status": "affected",
"version": "2.7.3"
},
{
"status": "affected",
"version": "2.7.4"
},
{
"status": "affected",
"version": "2.7.5"
},
{
"status": "affected",
"version": "2.7.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "LinZiyu (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function ogs_gtp2_parse_bearer_qos in the library lib/gtp/v2/types.c of the component Bearer QoS IE Length Handler. Performing manipulation results in denial of service. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is named 4e913d21f2c032b187815f063dbab5ebe65fe83a. To fix this issue, it is recommended to deploy a patch."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.7,
"vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-01T23:32:07.646Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-339340 | Open5GS Bearer QoS IE Length types.c ogs_gtp2_parse_bearer_qos denial of service",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.339340"
},
{
"name": "VDB-339340 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.339340"
},
{
"name": "Submit #728043 | Open5GS SGWC v2.7.6 Denial of Service",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.728043"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4217"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4217#issuecomment-3690767105"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4217#issue-3759615968"
},
{
"tags": [
"patch"
],
"url": "https://github.com/open5gs/open5gs/commit/4e913d21f2c032b187815f063dbab5ebe65fe83a"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-01-01T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-01-01T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-01-01T12:02:16.000Z",
"value": "VulDB entry last update"
}
],
"title": "Open5GS Bearer QoS IE Length types.c ogs_gtp2_parse_bearer_qos denial of service"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-15418",
"datePublished": "2026-01-01T23:32:07.646Z",
"dateReserved": "2026-01-01T10:57:04.431Z",
"dateUpdated": "2026-01-05T21:50:43.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15417 (GCVE-0-2025-15417)
Vulnerability from cvelistv5 – Published: 2026-01-01 23:02 – Updated: 2026-01-06 14:33 X_Open Source
VLAI?
Title
Open5GS GTPv2-C F-TEID s11-handler.c sgwc_s11_handle_create_session_request denial of service
Summary
A vulnerability was identified in Open5GS up to 2.7.6. Affected is the function sgwc_s11_handle_create_session_request of the file src/sgwc/s11-handler.c of the component GTPv2-C F-TEID Handler. Such manipulation leads to denial of service. The attack must be carried out locally. The exploit is publicly available and might be used. The name of the patch is 465273d13ba5d47b274c38c9d1b07f04859178a1. A patch should be applied to remediate this issue.
Severity ?
CWE
- CWE-404 - Denial of Service
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
Credits
ZiyuLin (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15417",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-06T14:33:01.789954Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T14:33:18.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open5gs/open5gs/issues/4203#issue-3719257558"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"GTPv2-C F-TEID Handler"
],
"product": "Open5GS",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.7.0"
},
{
"status": "affected",
"version": "2.7.1"
},
{
"status": "affected",
"version": "2.7.2"
},
{
"status": "affected",
"version": "2.7.3"
},
{
"status": "affected",
"version": "2.7.4"
},
{
"status": "affected",
"version": "2.7.5"
},
{
"status": "affected",
"version": "2.7.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ZiyuLin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in Open5GS up to 2.7.6. Affected is the function sgwc_s11_handle_create_session_request of the file src/sgwc/s11-handler.c of the component GTPv2-C F-TEID Handler. Such manipulation leads to denial of service. The attack must be carried out locally. The exploit is publicly available and might be used. The name of the patch is 465273d13ba5d47b274c38c9d1b07f04859178a1. A patch should be applied to remediate this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.7,
"vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-01T23:02:07.030Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-339339 | Open5GS GTPv2-C F-TEID s11-handler.c sgwc_s11_handle_create_session_request denial of service",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.339339"
},
{
"name": "VDB-339339 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.339339"
},
{
"name": "Submit #727616 | Open5GS SGWC v2.7.6 Denial of Service",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.727616"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4203"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4203#issuecomment-3681643498"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4203#issue-3719257558"
},
{
"tags": [
"patch"
],
"url": "https://github.com/open5gs/open5gs/commit/465273d13ba5d47b274c38c9d1b07f04859178a1"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-01-01T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-01-01T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-01-01T11:56:16.000Z",
"value": "VulDB entry last update"
}
],
"title": "Open5GS GTPv2-C F-TEID s11-handler.c sgwc_s11_handle_create_session_request denial of service"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-15417",
"datePublished": "2026-01-01T23:02:07.030Z",
"dateReserved": "2026-01-01T10:50:23.624Z",
"dateUpdated": "2026-01-06T14:33:18.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15176 (GCVE-0-2025-15176)
Vulnerability from cvelistv5 – Published: 2025-12-29 06:32 – Updated: 2025-12-29 14:38 X_Open Source
VLAI?
Title
Open5GS PFCP Session Establishment Request rule-match.c ogs_pfcp_pdr_rule_find_by_packet assertion
Summary
A flaw has been found in Open5GS up to 2.7.5. This affects the function decode_ipv6_header/ogs_pfcp_pdr_rule_find_by_packet of the file lib/pfcp/rule-match.c of the component PFCP Session Establishment Request Handler. Executing manipulation can lead to reachable assertion. It is possible to launch the attack remotely. The exploit has been published and may be used. This patch is called b72d8349980076e2c033c8324f07747a86eea4f8. Applying a patch is advised to resolve this issue.
Severity ?
CWE
- CWE-617 - Reachable Assertion
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
Credits
ZiyuLin (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15176",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-29T14:38:27.407041Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T14:38:33.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"PFCP Session Establishment Request Handler"
],
"product": "Open5GS",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.7.0"
},
{
"status": "affected",
"version": "2.7.1"
},
{
"status": "affected",
"version": "2.7.2"
},
{
"status": "affected",
"version": "2.7.3"
},
{
"status": "affected",
"version": "2.7.4"
},
{
"status": "affected",
"version": "2.7.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ZiyuLin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in Open5GS up to 2.7.5. This affects the function decode_ipv6_header/ogs_pfcp_pdr_rule_find_by_packet of the file lib/pfcp/rule-match.c of the component PFCP Session Establishment Request Handler. Executing manipulation can lead to reachable assertion. It is possible to launch the attack remotely. The exploit has been published and may be used. This patch is called b72d8349980076e2c033c8324f07747a86eea4f8. Applying a patch is advised to resolve this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T06:32:06.957Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-338561 | Open5GS PFCP Session Establishment Request rule-match.c ogs_pfcp_pdr_rule_find_by_packet assertion",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.338561"
},
{
"name": "VDB-338561 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.338561"
},
{
"name": "Submit #719830 | Open5GS v2.7.5 Reachable Assertion",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.719830"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4180"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4180#issuecomment-3615555671"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4180#issue-3666760066"
},
{
"tags": [
"patch"
],
"url": "https://github.com/open5gs/open5gs/commit/b72d8349980076e2c033c8324f07747a86eea4f8"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2025-12-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-12-28T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-12-28T10:18:50.000Z",
"value": "VulDB entry last update"
}
],
"title": "Open5GS PFCP Session Establishment Request rule-match.c ogs_pfcp_pdr_rule_find_by_packet assertion"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-15176",
"datePublished": "2025-12-29T06:32:06.957Z",
"dateReserved": "2025-12-28T08:25:27.283Z",
"dateUpdated": "2025-12-29T14:38:33.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14955 (GCVE-0-2025-14955)
Vulnerability from cvelistv5 – Published: 2025-12-19 16:32 – Updated: 2025-12-19 18:00 X_Open Source
VLAI?
Title
Open5GS PFCP handler.c ogs_pfcp_handle_create_pdr initialization
Summary
A vulnerability was found in Open5GS up to 2.7.5. Affected by this vulnerability is the function ogs_pfcp_handle_create_pdr in the library lib/pfcp/handler.c of the component PFCP. The manipulation results in improper initialization. It is possible to launch the attack remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit has been made public and could be used. The patch is identified as 773117aa5472af26fc9f80e608d3386504c3bdb7. It is best practice to apply a patch to resolve this issue.
Severity ?
CWE
- CWE-665 - Improper Initialization
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
Credits
ZiyuLin (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14955",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T17:25:04.453035Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T18:00:47.567Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open5gs/open5gs/issues/4182"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/open5gs/open5gs/issues/4182#issue-3670797098"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/open5gs/open5gs/issues/4182#issuecomment-3616081878"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"PFCP"
],
"product": "Open5GS",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.7.0"
},
{
"status": "affected",
"version": "2.7.1"
},
{
"status": "affected",
"version": "2.7.2"
},
{
"status": "affected",
"version": "2.7.3"
},
{
"status": "affected",
"version": "2.7.4"
},
{
"status": "affected",
"version": "2.7.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ZiyuLin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Open5GS up to 2.7.5. Affected by this vulnerability is the function ogs_pfcp_handle_create_pdr in the library lib/pfcp/handler.c of the component PFCP. The manipulation results in improper initialization. It is possible to launch the attack remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit has been made public and could be used. The patch is identified as 773117aa5472af26fc9f80e608d3386504c3bdb7. It is best practice to apply a patch to resolve this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.6,
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-665",
"description": "Improper Initialization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T16:32:08.036Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-337591 | Open5GS PFCP handler.c ogs_pfcp_handle_create_pdr initialization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.337591"
},
{
"name": "VDB-337591 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.337591"
},
{
"name": "Submit #716841 | Open5GS v2.7.5 Reachable Assertion",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.716841"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4182"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4182#issuecomment-3616081878"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4182#issue-3670797098"
},
{
"tags": [
"patch"
],
"url": "https://github.com/open5gs/open5gs/commit/773117aa5472af26fc9f80e608d3386504c3bdb7"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2025-12-19T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-12-19T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-12-19T09:36:53.000Z",
"value": "VulDB entry last update"
}
],
"title": "Open5GS PFCP handler.c ogs_pfcp_handle_create_pdr initialization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-14955",
"datePublished": "2025-12-19T16:32:08.036Z",
"dateReserved": "2025-12-19T08:31:39.061Z",
"dateUpdated": "2025-12-19T18:00:47.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14954 (GCVE-0-2025-14954)
Vulnerability from cvelistv5 – Published: 2025-12-19 16:02 – Updated: 2025-12-28 09:30 X_Open Source
VLAI?
Title
Open5GS QER/FAR/URR/PDR context.c ogs_pfcp_qer_find_or_add assertion
Summary
A vulnerability has been found in Open5GS up to 2.7.6. Affected is the function ogs_pfcp_pdr_find_or_add/ogs_pfcp_far_find_or_add/ogs_pfcp_urr_find_or_add/ogs_pfcp_qer_find_or_add in the library lib/pfcp/context.c of the component QER/FAR/URR/PDR. The manipulation leads to reachable assertion. It is possible to initiate the attack remotely. The attack's complexity is rated as high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 442369dcd964f03d95429a6a01a57ed21f7779b7. Applying a patch is the recommended action to fix this issue.
Severity ?
CWE
- CWE-617 - Reachable Assertion
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
Credits
ZiyuLin (VulDB User)
ZiyuLin (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14954",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T16:31:30.704132Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T16:31:41.201Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"QER/FAR/URR/PDR"
],
"product": "Open5GS",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.7.0"
},
{
"status": "affected",
"version": "2.7.1"
},
{
"status": "affected",
"version": "2.7.2"
},
{
"status": "affected",
"version": "2.7.3"
},
{
"status": "affected",
"version": "2.7.4"
},
{
"status": "affected",
"version": "2.7.5"
},
{
"status": "affected",
"version": "2.7.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ZiyuLin (VulDB User)"
},
{
"lang": "en",
"type": "analyst",
"value": "ZiyuLin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in Open5GS up to 2.7.6. Affected is the function ogs_pfcp_pdr_find_or_add/ogs_pfcp_far_find_or_add/ogs_pfcp_urr_find_or_add/ogs_pfcp_qer_find_or_add in the library lib/pfcp/context.c of the component QER/FAR/URR/PDR. The manipulation leads to reachable assertion. It is possible to initiate the attack remotely. The attack\u0027s complexity is rated as high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 442369dcd964f03d95429a6a01a57ed21f7779b7. Applying a patch is the recommended action to fix this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.6,
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-28T09:30:08.899Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-337590 | Open5GS QER/FAR/URR/PDR context.c ogs_pfcp_qer_find_or_add assertion",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.337590"
},
{
"name": "VDB-337590 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.337590"
},
{
"name": "Submit #716810 | Open5GS v2.7.5 CWE-617 Reachable Assertion",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.716810"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4181"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4181#issuecomment-3615646842"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4181#issue-3667069101"
},
{
"tags": [
"patch"
],
"url": "https://github.com/open5gs/open5gs/commit/442369dcd964f03d95429a6a01a57ed21f7779b7"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2025-12-19T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-12-19T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-12-28T10:34:52.000Z",
"value": "VulDB entry last update"
}
],
"title": "Open5GS QER/FAR/URR/PDR context.c ogs_pfcp_qer_find_or_add assertion"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-14954",
"datePublished": "2025-12-19T16:02:11.110Z",
"dateReserved": "2025-12-19T08:31:35.484Z",
"dateUpdated": "2025-12-28T09:30:08.899Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14953 (GCVE-0-2025-14953)
Vulnerability from cvelistv5 – Published: 2025-12-19 16:02 – Updated: 2025-12-19 16:32 X_Open Source
VLAI?
Title
Open5GS FAR-ID handler.c ogs_pfcp_handle_create_pdr null pointer dereference
Summary
A flaw has been found in Open5GS up to 2.7.5. This impacts the function ogs_pfcp_handle_create_pdr in the library lib/pfcp/handler.c of the component FAR-ID Handler. Executing manipulation can lead to null pointer dereference. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is said to be difficult. The exploit has been published and may be used. This patch is called 93a9fd98a8baa94289be3b982028201de4534e32. It is advisable to implement a patch to correct this issue.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
Credits
ZiyuLin (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14953",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T16:32:32.036056Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T16:32:56.837Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"FAR-ID Handler"
],
"product": "Open5GS",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.7.0"
},
{
"status": "affected",
"version": "2.7.1"
},
{
"status": "affected",
"version": "2.7.2"
},
{
"status": "affected",
"version": "2.7.3"
},
{
"status": "affected",
"version": "2.7.4"
},
{
"status": "affected",
"version": "2.7.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ZiyuLin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in Open5GS up to 2.7.5. This impacts the function ogs_pfcp_handle_create_pdr in the library lib/pfcp/handler.c of the component FAR-ID Handler. Executing manipulation can lead to null pointer dereference. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is said to be difficult. The exploit has been published and may be used. This patch is called 93a9fd98a8baa94289be3b982028201de4534e32. It is advisable to implement a patch to correct this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.1,
"vectorString": "AV:N/AC:H/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T16:02:07.234Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-337589 | Open5GS FAR-ID handler.c ogs_pfcp_handle_create_pdr null pointer dereference",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.337589"
},
{
"name": "VDB-337589 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.337589"
},
{
"name": "Submit #716799 | Open5GS v2.7.5 Reachable Assertion",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.716799"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4179"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4179#issuecomment-3614868758"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/4179#issue-3666399406"
},
{
"tags": [
"patch"
],
"url": "https://github.com/open5gs/open5gs/commit/93a9fd98a8baa94289be3b982028201de4534e32"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2025-12-19T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-12-19T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-12-19T09:36:45.000Z",
"value": "VulDB entry last update"
}
],
"title": "Open5GS FAR-ID handler.c ogs_pfcp_handle_create_pdr null pointer dereference"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-14953",
"datePublished": "2025-12-19T16:02:07.234Z",
"dateReserved": "2025-12-19T08:31:23.204Z",
"dateUpdated": "2025-12-19T16:32:56.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65559 (GCVE-0-2025-65559)
Vulnerability from cvelistv5 – Published: 2025-12-18 00:00 – Updated: 2025-12-19 18:01
VLAI?
Summary
An issue was discovered in Open5GS 2.7.5-49-g465e90f, when processing a PFCP Session Establishment Request (type=50), the UPF crashes with a reachable assertion in `lib/pfcp/context.c` (`ogs_pfcp_object_teid_hash_set`) if the CreatePDR?PDI?F-TEID has CH=1 and the F-TEID address-family flag(s) (IPv4/IPv6) do not match the GTP-U resource family configured for the selected DNN (Network Instance), resulting in a denial of service.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-65559",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T17:31:50.507865Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "CWE-617 Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T18:01:45.486Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open5gs/open5gs/issues/4135"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Open5GS 2.7.5-49-g465e90f, when processing a PFCP Session Establishment Request (type=50), the UPF crashes with a reachable assertion in `lib/pfcp/context.c` (`ogs_pfcp_object_teid_hash_set`) if the CreatePDR?PDI?F-TEID has CH=1 and the F-TEID address-family flag(s) (IPv4/IPv6) do not match the GTP-U resource family configured for the selected DNN (Network Instance), resulting in a denial of service."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T18:42:55.350Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/open5gs/open5gs/issues/4135"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-65559",
"datePublished": "2025-12-18T00:00:00.000Z",
"dateReserved": "2025-11-18T00:00:00.000Z",
"dateUpdated": "2025-12-19T18:01:45.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-63288 (GCVE-0-2025-63288)
Vulnerability from cvelistv5 – Published: 2025-11-10 00:00 – Updated: 2025-11-12 20:18
VLAI?
Summary
In Open5GS 2.7.6, AMF crashes when receiving an abnormal NGSetupRequest message, resulting in denial of service.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-63288",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T20:18:13.792350Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T20:18:35.968Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Open5GS 2.7.6, AMF crashes when receiving an abnormal NGSetupRequest message, resulting in denial of service."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T19:03:50.578Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/open5gs/open5gs/issues/4087"
},
{
"url": "https://github.com/open5gs/open5gs/commit/be765fe2b03e350836272eee5afb3931bdfb86d5"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-63288",
"datePublished": "2025-11-10T00:00:00.000Z",
"dateReserved": "2025-10-27T00:00:00.000Z",
"dateUpdated": "2025-11-12T20:18:35.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41068 (GCVE-0-2025-41068)
Vulnerability from cvelistv5 – Published: 2025-10-27 12:47 – Updated: 2025-10-29 10:28
VLAI?
Title
Reachable Assertion vulnerability in Open5GS
Summary
Reachable Assertion vulnerability in Open5GS up to version 2.7.6 allows attackers with connectivity to the NRF to cause a denial of service. This is achieved by sending the creation of an NF with an invalid type via SBI and then requesting its data. The NRF executes a check that crashes the process, leaving the discovery service unresponsive.
Severity ?
CWE
- CWE-617 - Reachable Assertion
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41068",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-27T15:08:40.899125Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T15:08:58.104Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Open5GS",
"vendor": "NewPlane",
"versions": [
{
"lessThanOrEqual": "2.7.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:newplane:open5gs:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2.7.5",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"datePublic": "2025-10-27T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Reachable Assertion vulnerability in Open5GS up to version 2.7.6 allows attackers with connectivity to the NRF to cause a denial of service. This is achieved by sending the creation of an NF with an invalid type via SBI and then requesting its data. The NRF executes a check that crashes the process, leaving the discovery service unresponsive."
}
],
"value": "Reachable Assertion vulnerability in Open5GS up to version 2.7.6 allows attackers with connectivity to the NRF to cause a denial of service. This is achieved by sending the creation of an NF with an invalid type via SBI and then requesting its data. The NRF executes a check that crashes the process, leaving the discovery service unresponsive."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "CWE-617 Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T10:28:05.622Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-newplanes-open5gs"
},
{
"tags": [
"patch"
],
"url": "https://open5gs.org/open5gs/release/2025/07/19/release-v2.7.6.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerabilitiy has been fixed by the Open5GS team in version v2.7.6."
}
],
"value": "The vulnerabilitiy has been fixed by the Open5GS team in version v2.7.6."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Reachable Assertion vulnerability in Open5GS",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-41068",
"datePublished": "2025-10-27T12:47:57.984Z",
"dateReserved": "2025-04-16T09:09:34.458Z",
"dateUpdated": "2025-10-29T10:28:05.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-41067 (GCVE-0-2025-41067)
Vulnerability from cvelistv5 – Published: 2025-10-27 12:47 – Updated: 2025-10-29 10:27
VLAI?
Title
Reachable Assertion vulnerability in Open5GS
Summary
Reachable Assertion vulnerability in Open5GS up to version 2.7.6 allows attackers with connectivity to the NRF to cause a denial of service. An SBI request that deletes the NRF's own registry causes a check that ends up crashing the NRF process and renders the discovery service unavailable.
Severity ?
CWE
- CWE-617 - Reachable Assertion
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41067",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-27T15:09:33.939113Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T15:09:47.594Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Open5GS",
"vendor": "NewPlane",
"versions": [
{
"lessThanOrEqual": "2.7.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:newplane:open5gs:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2.7.5",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"datePublic": "2025-10-27T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Reachable Assertion vulnerability in Open5GS up to version 2.7.6 allows attackers with connectivity to the NRF to cause a denial of service. An SBI request that deletes the NRF\u0027s own registry causes a check that ends up crashing the NRF process and renders the discovery service unavailable."
}
],
"value": "Reachable Assertion vulnerability in Open5GS up to version 2.7.6 allows attackers with connectivity to the NRF to cause a denial of service. An SBI request that deletes the NRF\u0027s own registry causes a check that ends up crashing the NRF process and renders the discovery service unavailable."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-617",
"description": "CWE-617 Reachable Assertion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T10:27:42.252Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-newplanes-open5gs"
},
{
"tags": [
"patch"
],
"url": "https://open5gs.org/open5gs/release/2025/07/19/release-v2.7.6.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerabilitiy has been fixed by the Open5GS team in version v2.7.6."
}
],
"value": "The vulnerabilitiy has been fixed by the Open5GS team in version v2.7.6."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Reachable Assertion vulnerability in Open5GS",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-41067",
"datePublished": "2025-10-27T12:47:32.364Z",
"dateReserved": "2025-04-16T09:09:34.457Z",
"dateUpdated": "2025-10-29T10:27:42.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55904 (GCVE-0-2025-55904)
Vulnerability from cvelistv5 – Published: 2025-09-17 00:00 – Updated: 2025-09-17 14:28
VLAI?
Summary
Open5GS v2.7.5, prior to commit 67ba7f92bbd7a378954895d96d9d7b05d5b64615, is vulnerable to a NULL pointer dereference when a multipart/related HTTP POST request with an empty HTTP body is sent to the SBI of either AMF, AUSF, BSF, NRF, NSSF, PCF, SMF, UDM, or UDR, resulting in a denial of service. This occurs in the parse_multipart function in lib/sbi/message.c.
Severity ?
4 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-55904",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T14:25:13.640980Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T14:28:46.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open5GS v2.7.5, prior to commit 67ba7f92bbd7a378954895d96d9d7b05d5b64615, is vulnerable to a NULL pointer dereference when a multipart/related HTTP POST request with an empty HTTP body is sent to the SBI of either AMF, AUSF, BSF, NRF, NSSF, PCF, SMF, UDM, or UDR, resulting in a denial of service. This occurs in the parse_multipart function in lib/sbi/message.c."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T13:48:18.473Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/open5gs/open5gs/commit/67ba7f92bbd7a378954895d96d9d7b05d5b64615"
},
{
"url": "https://github.com/open5gs/open5gs/issues/3942"
},
{
"url": "https://github.com/tsiamoulis/vuln-research/tree/main/CVE-2025-55904"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-55904",
"datePublished": "2025-09-17T00:00:00.000Z",
"dateReserved": "2025-08-16T00:00:00.000Z",
"dateUpdated": "2025-09-17T14:28:46.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52322 (GCVE-0-2025-52322)
Vulnerability from cvelistv5 – Published: 2025-09-09 00:00 – Updated: 2025-09-10 13:46
VLAI?
Summary
An issue in Open5GS v2.7.2 and before allows a remote attacker to cause a denial of service via a crafted Create Session Request message to the SMF (PGW-C), using the IP address of a legitimate UE in the PDN Address Allocation (PAA) field
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-52322",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T13:39:57.755608Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T13:46:16.728Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open5gs/open5gs/discussions/3919"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in Open5GS v2.7.2 and before allows a remote attacker to cause a denial of service via a crafted Create Session Request message to the SMF (PGW-C), using the IP address of a legitimate UE in the PDN Address Allocation (PAA) field"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T15:15:45.884Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/open5gs/open5gs/discussions/3919"
},
{
"url": "https://github.com/ZHENGHAOHELLO/BugReport/blob/main/CVE-2025-52322"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-52322",
"datePublished": "2025-09-09T00:00:00.000Z",
"dateReserved": "2025-06-16T00:00:00.000Z",
"dateUpdated": "2025-09-10T13:46:16.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2025-63288
Vulnerability from fkie_nvd - Published: 2025-11-10 19:15 - Updated: 2025-12-11 23:30
Severity ?
Summary
In Open5GS 2.7.6, AMF crashes when receiving an abnormal NGSetupRequest message, resulting in denial of service.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:open5gs:open5gs:2.7.6:*:*:*:*:*:*:*",
"matchCriteriaId": "24CAE39B-3444-4255-AF36-12AD680CFED3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Open5GS 2.7.6, AMF crashes when receiving an abnormal NGSetupRequest message, resulting in denial of service."
},
{
"lang": "es",
"value": "En Open5GS 2.7.6, el AMF falla al recibir un mensaje NGSetupRequest an\u00f3malo, resultando en denegaci\u00f3n de servicio."
}
],
"id": "CVE-2025-63288",
"lastModified": "2025-12-11T23:30:00.113",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-11-10T19:15:57.490",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/open5gs/open5gs/commit/be765fe2b03e350836272eee5afb3931bdfb86d5"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/open5gs/open5gs/issues/4087"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-41068
Vulnerability from fkie_nvd - Published: 2025-10-27 13:15 - Updated: 2025-10-29 11:15
Severity ?
Summary
Reachable Assertion vulnerability in Open5GS up to version 2.7.6 allows attackers with connectivity to the NRF to cause a denial of service. This is achieved by sending the creation of an NF with an invalid type via SBI and then requesting its data. The NRF executes a check that crashes the process, leaving the discovery service unresponsive.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8F0994C3-81F7-4122-B3FE-6DF0A632DD33",
"versionEndExcluding": "2.7.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Reachable Assertion vulnerability in Open5GS up to version 2.7.6 allows attackers with connectivity to the NRF to cause a denial of service. This is achieved by sending the creation of an NF with an invalid type via SBI and then requesting its data. The NRF executes a check that crashes the process, leaving the discovery service unresponsive."
}
],
"id": "CVE-2025-41068",
"lastModified": "2025-10-29T11:15:44.310",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "cve-coordination@incibe.es",
"type": "Secondary"
}
]
},
"published": "2025-10-27T13:15:45.143",
"references": [
{
"source": "cve-coordination@incibe.es",
"url": "https://open5gs.org/open5gs/release/2025/07/19/release-v2.7.6.html"
},
{
"source": "cve-coordination@incibe.es",
"tags": [
"Third Party Advisory"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-newplanes-open5gs"
}
],
"sourceIdentifier": "cve-coordination@incibe.es",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-617"
}
],
"source": "cve-coordination@incibe.es",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-41067
Vulnerability from fkie_nvd - Published: 2025-10-27 13:15 - Updated: 2025-10-29 11:15
Severity ?
Summary
Reachable Assertion vulnerability in Open5GS up to version 2.7.6 allows attackers with connectivity to the NRF to cause a denial of service. An SBI request that deletes the NRF's own registry causes a check that ends up crashing the NRF process and renders the discovery service unavailable.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8F0994C3-81F7-4122-B3FE-6DF0A632DD33",
"versionEndExcluding": "2.7.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Reachable Assertion vulnerability in Open5GS up to version 2.7.6 allows attackers with connectivity to the NRF to cause a denial of service. An SBI request that deletes the NRF\u0027s own registry causes a check that ends up crashing the NRF process and renders the discovery service unavailable."
}
],
"id": "CVE-2025-41067",
"lastModified": "2025-10-29T11:15:44.170",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "cve-coordination@incibe.es",
"type": "Secondary"
}
]
},
"published": "2025-10-27T13:15:44.973",
"references": [
{
"source": "cve-coordination@incibe.es",
"url": "https://open5gs.org/open5gs/release/2025/07/19/release-v2.7.6.html"
},
{
"source": "cve-coordination@incibe.es",
"tags": [
"Third Party Advisory"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-newplanes-open5gs"
}
],
"sourceIdentifier": "cve-coordination@incibe.es",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-617"
}
],
"source": "cve-coordination@incibe.es",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-55904
Vulnerability from fkie_nvd - Published: 2025-09-17 14:15 - Updated: 2025-09-23 15:45
Severity ?
Summary
Open5GS v2.7.5, prior to commit 67ba7f92bbd7a378954895d96d9d7b05d5b64615, is vulnerable to a NULL pointer dereference when a multipart/related HTTP POST request with an empty HTTP body is sent to the SBI of either AMF, AUSF, BSF, NRF, NSSF, PCF, SMF, UDM, or UDR, resulting in a denial of service. This occurs in the parse_multipart function in lib/sbi/message.c.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/open5gs/open5gs/commit/67ba7f92bbd7a378954895d96d9d7b05d5b64615 | Patch | |
| cve@mitre.org | https://github.com/open5gs/open5gs/issues/3942 | Exploit, Issue Tracking | |
| cve@mitre.org | https://github.com/tsiamoulis/vuln-research/tree/main/CVE-2025-55904 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F4733D6E-5B99-4217-96BA-533B220A1FDA",
"versionEndExcluding": "2.7.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Open5GS v2.7.5, prior to commit 67ba7f92bbd7a378954895d96d9d7b05d5b64615, is vulnerable to a NULL pointer dereference when a multipart/related HTTP POST request with an empty HTTP body is sent to the SBI of either AMF, AUSF, BSF, NRF, NSSF, PCF, SMF, UDM, or UDR, resulting in a denial of service. This occurs in the parse_multipart function in lib/sbi/message.c."
},
{
"lang": "es",
"value": "Open5GS v2.7.5, anterior al commit 67ba7f92bbd7a378954895d96d9d7b05d5b64615, es vulnerable a una desreferenciaci\u00f3n de puntero NULL cuando se env\u00eda una solicitud HTTP POST multipart/related con un cuerpo HTTP vac\u00edo al SBI de AMF, AUSF, BSF, NRF, NSSF, PCF, SMF, UDM o UDR, lo que resulta en una denegaci\u00f3n de servicio. Esto ocurre en la funci\u00f3n parse_multipart en lib/sbi/message.c."
}
],
"id": "CVE-2025-55904",
"lastModified": "2025-09-23T15:45:10.240",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.5,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-09-17T14:15:40.050",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/open5gs/open5gs/commit/67ba7f92bbd7a378954895d96d9d7b05d5b64615"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking"
],
"url": "https://github.com/open5gs/open5gs/issues/3942"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/tsiamoulis/vuln-research/tree/main/CVE-2025-55904"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-476"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-52322
Vulnerability from fkie_nvd - Published: 2025-09-09 16:15 - Updated: 2025-10-17 20:19
Severity ?
Summary
An issue in Open5GS v2.7.2 and before allows a remote attacker to cause a denial of service via a crafted Create Session Request message to the SMF (PGW-C), using the IP address of a legitimate UE in the PDN Address Allocation (PAA) field
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/ZHENGHAOHELLO/BugReport/blob/main/CVE-2025-52322 | Third Party Advisory | |
| cve@mitre.org | https://github.com/open5gs/open5gs/discussions/3919 | Exploit, Issue Tracking | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/open5gs/open5gs/discussions/3919 | Exploit, Issue Tracking |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E8160C0A-E77F-487D-B5E0-C6657E80D327",
"versionEndIncluding": "2.7.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue in Open5GS v2.7.2 and before allows a remote attacker to cause a denial of service via a crafted Create Session Request message to the SMF (PGW-C), using the IP address of a legitimate UE in the PDN Address Allocation (PAA) field"
}
],
"id": "CVE-2025-52322",
"lastModified": "2025-10-17T20:19:05.930",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-09-09T16:15:33.380",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/ZHENGHAOHELLO/BugReport/blob/main/CVE-2025-52322"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking"
],
"url": "https://github.com/open5gs/open5gs/discussions/3919"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Issue Tracking"
],
"url": "https://github.com/open5gs/open5gs/discussions/3919"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}