CVE-2025-60638
Description
An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Nnssf_NSSAIAvailability API.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Free5GC v4.0.0/v4.0.1 NSSF crashes via crafted POST to Nnssf_NSSAIAvailability due to nil pointer dereference.
The vulnerability in Free5GC's Network Slice Selection Function (NSSF) arises from improper handling of the optional expiry field in the Nnssf_NSSAIAvailability API. When a crafted POST request omits this field, the server-side code in nssaiavailability_subscription.go performs a nil pointer dereference, causing a panic and resulting in a 500 Internal Server Error [2].
An attacker can exploit this by sending a POST request to the /nssai-availability/subscriptions endpoint without the expiry field. If OAuth is enabled, the attacker must first obtain a valid authorization token, but exploitation is straightforward and does not require elevated privileges beyond that. The curl command provided in the bug report demonstrates the attack [2].
Successful exploitation leads to a denial of service (DoS) by crashing the NSSF component, which is essential for 5G core network operations. This disrupts network slice availability and can impact overall service [3].
As of the report, the bug is present in free5GC v4.0.0 and v4.0.1 and likely persists in later versions. No patch has been released yet, but developers have acknowledged the issue. Affected users should monitor the project's GitHub for updates.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/free5gc/nssfGo | < 1.4.0 | 1.4.0 |
Affected products
2- Free5GC/Free5GCdescription
Patches
11 file changed · +1 −1
internal/sbi/processor/nssaiavailability_subscription.go+1 −1 modified@@ -77,7 +77,7 @@ func (p *Processor) NssaiAvailabilitySubscriptionCreate( factory.NssfConfig.Subscriptions = append(factory.NssfConfig.Subscriptions, subscription) response.SubscriptionId = subscription.SubscriptionId - if !subscription.SubscriptionData.Expiry.IsZero() { + if subscription.SubscriptionData.Expiry != nil && !subscription.SubscriptionData.Expiry.IsZero() { response.Expiry = new(time.Time) *response.Expiry = *subscription.SubscriptionData.Expiry }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.