CVE-2025-60633
Description
An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via the Nudm_SubscriberDataManagement API.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Free5GC v4.0.0 and v4.0.1 are vulnerable to denial of service via the Nudm_SubscriberDataManagement API due to improper error handling.
Vulnerability
Overview
CVE-2025-60633 affects Free5GC versions 4.0.0 and 4.0.1, specifically in the Unified Data Management (UDM) component's Nudm_SubscriberDataManagement API. The issue arises from improper error handling when processing certain GET requests. When a request is made with a non-existent subscriber identifier (ueID) or missing optional parameters like single-nssai, the UDM fails to propagate the correct error from the Unified Data Repository (UDR) and instead returns a generic 500 Internal Server Error [3][4]. This behavior indicates a lack of input validation and error propagation logic, leading to a denial of service condition.
Attack
Vector and Exploitation
An attacker can exploit this vulnerability by sending crafted HTTP GET requests to the Nudm_SDM API endpoints. The attack requires network access to the UDM service and, if OAuth is enabled, a valid authorization token [3][4]. No special privileges beyond network connectivity are needed. By sending requests with a non-existent ueID to the id-translation-result endpoint or omitting the single-nss the single-nssai parameter in sm-data requests, the attacker triggers the internal server error, potentially causing resource exhaustion or service disruption [3][4].".
Impact
Successful exploitation results in a denial of service (DoS) condition. The UDM component returns 500 errors for legitimate-looking requests, which can prevent subscribers from being authenticated or provisioned, effectively disrupting the core network functions. The vulnerability does not lead to service unavailability for mobile subscribers relying on the Free5GC network [1][3][4].
Mitigation
As of the publication date, the vulnerability remains unpatched in the affected versions. The Free5GC project has acknowledged the issue in GitHub issues [3][4], and a pull request addressing the supportedFeatures out-of-range error has been submitted [2]. Users are advised to monitor the repository for patches or apply workarounds such as input validation and proper error handling in the UDM component. Until a fix is released, restricting network access to the UDM API and implementing request filtering may reduce the attack surface.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/free5gc/udmGo | <= 1.4.0 | — |
github.com/free5gc/openapiGo | < 1.2.2 | 1.2.2 |
Affected products
2- Free5GC/Free5GCdescription
Patches
4ca9976857909fix: incorrectly returns 500 for invalid parameter (#65)
1 file changed · +23 −0
internal/sbi/processor/subscriber_data_management.go+23 −0 modified@@ -6,6 +6,7 @@ import ( "strconv" "github.com/gin-gonic/gin" + "github.com/google/uuid" "github.com/free5gc/openapi" "github.com/free5gc/openapi/models" @@ -567,6 +568,28 @@ func (p *Processor) GetSmfSelectDataProcedure(c *gin.Context, supi string, plmnI } func (p *Processor) SubscribeToSharedDataProcedure(c *gin.Context, sdmSubscription *models.SdmSubscription) { + if sdmSubscription.NfInstanceId == "" { + logger.SdmLog.Warnf("Missing mandatory parameter: nfInstanceId") + problemDetails := models.ProblemDetails{ + Status: http.StatusBadRequest, + Cause: "MANDATORY_IE_MISSING", + } + c.Set(sbi.IN_PB_DETAILS_CTX_STR, problemDetails.Cause) + c.JSON(http.StatusBadRequest, problemDetails) + return + } + + if _, err := uuid.Parse(sdmSubscription.NfInstanceId); err != nil { + logger.SdmLog.Warnf("Invalid nfInstanceId format: %s", sdmSubscription.NfInstanceId) + problemDetails := models.ProblemDetails{ + Status: http.StatusBadRequest, + Cause: "INVALID_IE_VALUE", + } + c.Set(sbi.IN_PB_DETAILS_CTX_STR, problemDetails.Cause) + c.JSON(http.StatusBadRequest, problemDetails) + return + } + ctx, pd, err := p.Context().GetTokenCtx(models.ServiceName_NUDM_SDM, models.NrfNfManagementNfType_UDM) if err != nil { c.Set(sbi.IN_PB_DETAILS_CTX_STR, pd.Cause)
d50c83e8fe7eMerge pull request #65 from reki9185/fix/getIdentityDataErr
1 file changed · +1 −1
udr/DataRepository/api_query_identity_data_by_supi_or_gpsi_document.go+1 −1 modified@@ -149,7 +149,7 @@ func (a *QueryIdentityDataBySUPIOrGPSIDocumentApiService) GetIdentityData(ctx co localVarReturnValue.ETag = localVarHTTPResponse.Header.Get("ETag") localVarReturnValue.LastModified = localVarHTTPResponse.Header.Get("Last-Modified") return &localVarReturnValue, nil - case 403: + case 404: var v GetIdentityDataError err = openapi.Deserialize(&v.ProblemDetails, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) if err != nil {
57c56a3ad4bcMerge pull request #66 from reki9185/fix/singleNssai
1 file changed · +12 −6
internal/sbi/processor/subscriber_data_management.go+12 −6 modified@@ -404,12 +404,18 @@ func (p *Processor) GetSmDataProcedure( } var modelSnassai models.Snssai - if errUnmarshal := json.Unmarshal([]byte(Snssai), &modelSnassai); errUnmarshal != nil { - logger.ProcLog.Errorf("modelSnassai Unmarshal Error: %+v", errUnmarshal) - problemDetails := openapi.ProblemDetailsSystemFailure(errUnmarshal.Error()) - c.Set(sbi.IN_PB_DETAILS_CTX_STR, problemDetails.Cause) - c.JSON(int(problemDetails.Status), problemDetails) - return + if Snssai != "" { + if errUnmarshal := json.Unmarshal([]byte(Snssai), &modelSnassai); errUnmarshal != nil { + logger.ProcLog.Errorf("modelSnassai Unmarshal Error: %+v", errUnmarshal) + problemDetail := models.ProblemDetails{ + Status: http.StatusBadRequest, + Detail: "The 'single-nssai' parameter is malformed.", + Cause: "INVALID_IE_VALUE", + } + c.Set(sbi.IN_PB_DETAILS_CTX_STR, problemDetail.Cause) + c.JSON(int(problemDetail.Status), problemDetail) + return + } } var querySmDataRequest Nudr_DataRepository.QuerySmDataRequest
e776c4217781Merge pull request #63 from reki9185/fix/supportedFeaturesOutOfRange
1 file changed · +6 −1
internal/sbi/api_subscriberdatamanagement.go+6 −1 modified@@ -139,7 +139,12 @@ func (s *Server) HandleGetSharedData(c *gin.Context) { sharedDataIds := c.QueryArray("shared-data-ids") supportedFeatures := c.QueryArray("supported-features") - s.Processor().GetSharedDataProcedure(c, sharedDataIds, supportedFeatures[0]) + supportedFeature := "" + if len(supportedFeatures) > 0 { + supportedFeature = supportedFeatures[0] + } + + s.Processor().GetSharedDataProcedure(c, sharedDataIds, supportedFeature) } // SubscribeToSharedData - subscribe to notifications for shared data
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
14- github.com/advisories/GHSA-3j9f-7w24-pcqgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-60633ghsaADVISORY
- github.com/free5gc/free5gc/issues/700ghsaWEB
- github.com/free5gc/free5gc/issues/701ghsaWEB
- github.com/free5gc/free5gc/issues/702ghsaWEB
- github.com/free5gc/free5gc/issues/703ghsaWEB
- github.com/free5gc/openapi/commit/d50c83e8fe7ebf9a62d9de99517e21a17f627b52ghsaWEB
- github.com/free5gc/openapi/pull/65ghsaWEB
- github.com/free5gc/udm/commit/57c56a3ad4bc53a62cab259045e78ec9abdb98caghsaWEB
- github.com/free5gc/udm/commit/ca9976857909a422dcff5bf2228756fc2bfc80d1ghsaWEB
- github.com/free5gc/udm/commit/e776c42177817f75e75e7a587c58c2a027beed81ghsaWEB
- github.com/free5gc/udm/pull/63ghsaWEB
- github.com/free5gc/udm/pull/65ghsaWEB
- github.com/free5gc/udm/pull/66ghsaWEB
News mentions
0No linked articles in our index yet.