CVE-2025-60632

Vulnerability

Overview

An issue discovered in Free5GC versions 4.0.0 and 4.0.1 allows an attacker to cause a denial of service (DoS) by sending a crafted POST request to the Npcf_BDTPolicyControl API [1][1][2]. The root cause is an unsafe type assertion in the PCF (Policy Control Function) service handler. When processing a POST request, the handler attempts to cast the result of deepcopy.Copy(requestMsg) to *models.BdtReqData without verifying whether the copied value is indeed a pointer to that type. If the underlying object is of type `models.BdtReqData (not a pointer), the cast fails and triggers a runtime panic, crashing the PCF service][2].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted JSON payload to the Npcf_BDTPolicyControl API endpoint. The attack requires network access to the PCF component and, if OAuth is enabled, a valid authorization token for the service][2]. The provided reproduction steps demonstrate that a simple POST request with a JSON body containing fields like aspId, desTimeInt, numOfUes, and volPerUe can trigger the panic. The bug persists in the latest codebase as of the report][2].

Impact

Successful exploitation results in a denial of service condition, causing the PCF service to crash and become unavailable. This disrupts policy control functions within the 5G core network, potentially affecting connected user equipment and services that rely on policy decisions][1][2].

Mitigation

A fix has been proposed in a pull request that addresses the unsafe type assertion by validating the type before casting][3]. Users of Free5GC are advised to apply the patch or update to a version containing the fix once released. Until then, restricting network access to the PCF API and ensuring proper authentication can reduce the attack surface][2][4].