Moderate severityNVD Advisory· Published Mar 20, 2026· Updated Mar 20, 2026
free5GC UDM incorrectly returns 500 for empty supi path parameter in DELETE sdm-subscriptions request
CVE-2026-33065
Description
Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. In versions prior to 1.4.2, the UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a 500 Internal Server Error when handling DELETE requests with an empty supi path parameter. This leaks internal error handling behavior and makes it difficult for clients to distinguish between client-side errors and server-side failures. When a client sends a DELETE request with an empty supi (e.g., double slashes // in URL path), the UDM forwards the malformed request to UDR, which correctly returns 400. However, UDM propagates this as 500 SYSTEM_FAILURE instead of returning the appropriate 400 error to the client. This violates REST API best practices for DELETE operations. The issue has been patched in version 1.4.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/free5gc/udmGo | < 1.4.2 | 1.4.2 |
Affected products
1Patches
188de9fa74a1bMerge pull request #79 from wiwi878/fix/udm/validation-subscriberdatamanagement
3 files changed · +72 −11
go.mod+1 −1 modified@@ -5,7 +5,7 @@ go 1.25.5 require ( github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d github.com/free5gc/openapi v1.2.3 - github.com/free5gc/util v1.3.2-0.20260102062829-eaf663340255 + github.com/free5gc/util v1.3.2-0.20260107090449-c09baaf75b11 github.com/gin-gonic/gin v1.10.0 github.com/google/uuid v1.6.0 github.com/h2non/gock v1.2.0
go.sum+2 −2 modified@@ -27,8 +27,8 @@ github.com/free5gc/ngap v1.1.2 h1:AA+s9+eaE8fSTnmBbh1xiD3VPaszonCd7AQJGKX5PHM= github.com/free5gc/ngap v1.1.2/go.mod h1:4HYtB+msoTBc3cEPlSr4ZUUHn3BFZhdPuVASERMzVeI= github.com/free5gc/openapi v1.2.3 h1:w4TmYBR8TUE4ZgKo7eiMZbyZPURSBFlMWiFeX+OsiA8= github.com/free5gc/openapi v1.2.3/go.mod h1:fLvaBtUZrvrzkKrmn5Aza+JNbpWnp3kxKixu6kLSD3k= -github.com/free5gc/util v1.3.2-0.20260102062829-eaf663340255 h1:IlMgigBSERsAwHhhDmDJpc5Xrmz8ML5Zg7Bd7SOVyyI= -github.com/free5gc/util v1.3.2-0.20260102062829-eaf663340255/go.mod h1:qsv/ez8YhI+pO8bjNiZWXc2xmRE3XuEIa0EDTCPkSy0= +github.com/free5gc/util v1.3.2-0.20260107090449-c09baaf75b11 h1:/UZetXmPa5T/TKKxqU3Osw9x3+nIuACTXJxOU+gYGTU= +github.com/free5gc/util v1.3.2-0.20260107090449-c09baaf75b11/go.mod h1:qsv/ez8YhI+pO8bjNiZWXc2xmRE3XuEIa0EDTCPkSy0= github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0= github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk= github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
internal/sbi/api_subscriberdatamanagement.go+69 −8 modified@@ -12,6 +12,7 @@ import ( "github.com/free5gc/openapi/models" "github.com/free5gc/udm/internal/logger" "github.com/free5gc/util/metrics/sbi" + "github.com/free5gc/util/validator" ) func (s *Server) getSubscriberDataManagementRoutes() []Route { @@ -33,7 +34,21 @@ func (s *Server) HandleGetAmData(c *gin.Context) { logger.SdmLog.Infof("Handle GetAmData") + // TS 29.503 6.1.3.5.2 + // Validate SUPI format supi := c.Params.ByName("supi") + if !validator.IsValidSupi(supi) { + problemDetail := models.ProblemDetails{ + Title: "Malformed request syntax", + Status: http.StatusBadRequest, + Detail: "Supi is invalid", + Cause: "MANDATORY_IE_INCORRECT", + } + logger.SdmLog.Warnln("Supi is invalid") + c.Set(sbi.IN_PB_DETAILS_CTX_STR, http.StatusText(int(problemDetail.Status))) + c.JSON(int(problemDetail.Status), problemDetail) + return + } // use c.Request.URL.Query() only for getPlmnIDStruct plmnIDStruct, problemDetails := s.getPlmnIDStruct(c.Request.URL.Query()) @@ -256,10 +271,25 @@ func (s *Server) HandleSubscribe(c *gin.Context) { func (s *Server) HandleUnsubscribe(c *gin.Context) { logger.SdmLog.Infof("Handle Unsubscribe") - supi := c.Params.ByName("ueId") + // TS 29.503 6.1.3.4.2 + // Validate SUPI and GPSI format the UE ID (SUPI or GPSI) + ueId := c.Params.ByName("ueId") + valid := validator.IsValidGpsi(ueId) || validator.IsValidSupi(ueId) + if !valid { + problemDetail := models.ProblemDetails{ + Title: "Malformed request syntax", + Status: http.StatusBadRequest, + Detail: "UE ID is invalid", + Cause: "MANDATORY_IE_INCORRECT", + } + logger.SdmLog.Warnln("UE ID is invalid") + c.Set(sbi.IN_PB_DETAILS_CTX_STR, http.StatusText(int(problemDetail.Status))) + c.JSON(int(problemDetail.Status), problemDetail) + return + } subscriptionID := c.Params.ByName("subscriptionId") - s.Processor().UnsubscribeProcedure(c, supi, subscriptionID) + s.Processor().UnsubscribeProcedure(c, ueId, subscriptionID) } // UnsubscribeForSharedData - unsubscribe from notifications for shared data @@ -273,6 +303,25 @@ func (s *Server) HandleUnsubscribeForSharedData(c *gin.Context) { // Modify - modify the subscription func (s *Server) HandleModify(c *gin.Context) { var sdmSubsModificationReq models.SdmSubsModification + + // TS 29.503 6.1.3.4.2 + // Validate SUPI and GPSI format the UE ID (SUPI or GPSI) + ueId := c.Params.ByName("ueId") + valid := validator.IsValidGpsi(ueId) || validator.IsValidSupi(ueId) + if !valid { + problemDetail := models.ProblemDetails{ + Title: "Malformed request syntax", + Status: http.StatusBadRequest, + Detail: "UE ID is invalid", + Cause: "MANDATORY_IE_INCORRECT", + } + logger.SdmLog.Warnln("UE ID is invalid") + c.Set(sbi.IN_PB_DETAILS_CTX_STR, http.StatusText(int(problemDetail.Status))) + c.JSON(int(problemDetail.Status), problemDetail) + return + } + subscriptionID := c.Params.ByName("subscriptionId") + requestBody, err := c.GetRawData() if err != nil { problemDetail := models.ProblemDetails{ @@ -303,10 +352,7 @@ func (s *Server) HandleModify(c *gin.Context) { logger.SdmLog.Infof("Handle Modify") - supi := c.Params.ByName("ueId") - subscriptionID := c.Params.ByName("subscriptionId") - - s.Processor().ModifyProcedure(c, &sdmSubsModificationReq, supi, subscriptionID) + s.Processor().ModifyProcedure(c, &sdmSubsModificationReq, ueId, subscriptionID) } // ModifyForSharedData - modify the subscription @@ -433,9 +479,24 @@ func (s *Server) HandleGetIdTranslationResult(c *gin.Context) { logger.SdmLog.Infof("Handle GetIdTranslationResultRequest") - gpsi := c.Params.ByName("ueId") + // TS 29.503 6.1.3.12.2 + // Validate SUPI and GPSI format the UE ID (SUPI or GPSI) + ueId := c.Params.ByName("ueId") + valid := validator.IsValidGpsi(ueId) || validator.IsValidSupi(ueId) + if !valid { + problemDetail := models.ProblemDetails{ + Title: "Malformed request syntax", + Status: http.StatusBadRequest, + Detail: "UE ID is invalid", + Cause: "MANDATORY_IE_INCORRECT", + } + logger.SdmLog.Warnln("UE ID is invalid") + c.Set(sbi.IN_PB_DETAILS_CTX_STR, http.StatusText(int(problemDetail.Status))) + c.JSON(int(problemDetail.Status), problemDetail) + return + } - s.Processor().GetIdTranslationResultProcedure(c, gpsi) + s.Processor().GetIdTranslationResultProcedure(c, ueId) } func (s *Server) HandleGetMultipleIdentifiers(c *gin.Context) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-958m-gxmc-mccmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33065ghsaADVISORY
- github.com/free5gc/free5gc/issues/783ghsax_refsource_MISCWEB
- github.com/free5gc/free5gc/security/advisories/GHSA-958m-gxmc-mccmghsax_refsource_CONFIRMWEB
- github.com/free5gc/udm/commit/88de9fa74a1b3f3522e53b4cfa2d184712ffa4eeghsax_refsource_MISCWEB
- github.com/free5gc/udm/pull/79ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.