High severityNVD Advisory· Published Mar 20, 2026· Updated Mar 20, 2026
free5GC UDM vulnerable to null byte injection in URL path parameters causing 500 Internal Server Error
CVE-2026-33191
Description
Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to null byte injection in URL path parameters. A remote attacker can inject null bytes (URL-encoded as %00) into the supi path parameter of the UDM's Nudm_SubscriberDataManagement API. This causes URL parsing failure in Go's net/url package with the error "invalid control character in URL", resulting in a 500 Internal Server Error. This null byte injection vulnerability can be exploited for denial of service attacks. When the supi parameter contains null characters, the UDM attempts to construct a URL for UDR that includes these control characters. Go's URL parser rejects them, causing the request to fail with 500 instead of properly validating input and returning 400 Bad Request. This issue has been fixed in version 1.4.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/free5gc/udmGo | < 1.4.2 | 1.4.2 |
Affected products
1Patches
188de9fa74a1bMerge pull request #79 from wiwi878/fix/udm/validation-subscriberdatamanagement
3 files changed · +72 −11
go.mod+1 −1 modified@@ -5,7 +5,7 @@ go 1.25.5 require ( github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d github.com/free5gc/openapi v1.2.3 - github.com/free5gc/util v1.3.2-0.20260102062829-eaf663340255 + github.com/free5gc/util v1.3.2-0.20260107090449-c09baaf75b11 github.com/gin-gonic/gin v1.10.0 github.com/google/uuid v1.6.0 github.com/h2non/gock v1.2.0
go.sum+2 −2 modified@@ -27,8 +27,8 @@ github.com/free5gc/ngap v1.1.2 h1:AA+s9+eaE8fSTnmBbh1xiD3VPaszonCd7AQJGKX5PHM= github.com/free5gc/ngap v1.1.2/go.mod h1:4HYtB+msoTBc3cEPlSr4ZUUHn3BFZhdPuVASERMzVeI= github.com/free5gc/openapi v1.2.3 h1:w4TmYBR8TUE4ZgKo7eiMZbyZPURSBFlMWiFeX+OsiA8= github.com/free5gc/openapi v1.2.3/go.mod h1:fLvaBtUZrvrzkKrmn5Aza+JNbpWnp3kxKixu6kLSD3k= -github.com/free5gc/util v1.3.2-0.20260102062829-eaf663340255 h1:IlMgigBSERsAwHhhDmDJpc5Xrmz8ML5Zg7Bd7SOVyyI= -github.com/free5gc/util v1.3.2-0.20260102062829-eaf663340255/go.mod h1:qsv/ez8YhI+pO8bjNiZWXc2xmRE3XuEIa0EDTCPkSy0= +github.com/free5gc/util v1.3.2-0.20260107090449-c09baaf75b11 h1:/UZetXmPa5T/TKKxqU3Osw9x3+nIuACTXJxOU+gYGTU= +github.com/free5gc/util v1.3.2-0.20260107090449-c09baaf75b11/go.mod h1:qsv/ez8YhI+pO8bjNiZWXc2xmRE3XuEIa0EDTCPkSy0= github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0= github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk= github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
internal/sbi/api_subscriberdatamanagement.go+69 −8 modified@@ -12,6 +12,7 @@ import ( "github.com/free5gc/openapi/models" "github.com/free5gc/udm/internal/logger" "github.com/free5gc/util/metrics/sbi" + "github.com/free5gc/util/validator" ) func (s *Server) getSubscriberDataManagementRoutes() []Route { @@ -33,7 +34,21 @@ func (s *Server) HandleGetAmData(c *gin.Context) { logger.SdmLog.Infof("Handle GetAmData") + // TS 29.503 6.1.3.5.2 + // Validate SUPI format supi := c.Params.ByName("supi") + if !validator.IsValidSupi(supi) { + problemDetail := models.ProblemDetails{ + Title: "Malformed request syntax", + Status: http.StatusBadRequest, + Detail: "Supi is invalid", + Cause: "MANDATORY_IE_INCORRECT", + } + logger.SdmLog.Warnln("Supi is invalid") + c.Set(sbi.IN_PB_DETAILS_CTX_STR, http.StatusText(int(problemDetail.Status))) + c.JSON(int(problemDetail.Status), problemDetail) + return + } // use c.Request.URL.Query() only for getPlmnIDStruct plmnIDStruct, problemDetails := s.getPlmnIDStruct(c.Request.URL.Query()) @@ -256,10 +271,25 @@ func (s *Server) HandleSubscribe(c *gin.Context) { func (s *Server) HandleUnsubscribe(c *gin.Context) { logger.SdmLog.Infof("Handle Unsubscribe") - supi := c.Params.ByName("ueId") + // TS 29.503 6.1.3.4.2 + // Validate SUPI and GPSI format the UE ID (SUPI or GPSI) + ueId := c.Params.ByName("ueId") + valid := validator.IsValidGpsi(ueId) || validator.IsValidSupi(ueId) + if !valid { + problemDetail := models.ProblemDetails{ + Title: "Malformed request syntax", + Status: http.StatusBadRequest, + Detail: "UE ID is invalid", + Cause: "MANDATORY_IE_INCORRECT", + } + logger.SdmLog.Warnln("UE ID is invalid") + c.Set(sbi.IN_PB_DETAILS_CTX_STR, http.StatusText(int(problemDetail.Status))) + c.JSON(int(problemDetail.Status), problemDetail) + return + } subscriptionID := c.Params.ByName("subscriptionId") - s.Processor().UnsubscribeProcedure(c, supi, subscriptionID) + s.Processor().UnsubscribeProcedure(c, ueId, subscriptionID) } // UnsubscribeForSharedData - unsubscribe from notifications for shared data @@ -273,6 +303,25 @@ func (s *Server) HandleUnsubscribeForSharedData(c *gin.Context) { // Modify - modify the subscription func (s *Server) HandleModify(c *gin.Context) { var sdmSubsModificationReq models.SdmSubsModification + + // TS 29.503 6.1.3.4.2 + // Validate SUPI and GPSI format the UE ID (SUPI or GPSI) + ueId := c.Params.ByName("ueId") + valid := validator.IsValidGpsi(ueId) || validator.IsValidSupi(ueId) + if !valid { + problemDetail := models.ProblemDetails{ + Title: "Malformed request syntax", + Status: http.StatusBadRequest, + Detail: "UE ID is invalid", + Cause: "MANDATORY_IE_INCORRECT", + } + logger.SdmLog.Warnln("UE ID is invalid") + c.Set(sbi.IN_PB_DETAILS_CTX_STR, http.StatusText(int(problemDetail.Status))) + c.JSON(int(problemDetail.Status), problemDetail) + return + } + subscriptionID := c.Params.ByName("subscriptionId") + requestBody, err := c.GetRawData() if err != nil { problemDetail := models.ProblemDetails{ @@ -303,10 +352,7 @@ func (s *Server) HandleModify(c *gin.Context) { logger.SdmLog.Infof("Handle Modify") - supi := c.Params.ByName("ueId") - subscriptionID := c.Params.ByName("subscriptionId") - - s.Processor().ModifyProcedure(c, &sdmSubsModificationReq, supi, subscriptionID) + s.Processor().ModifyProcedure(c, &sdmSubsModificationReq, ueId, subscriptionID) } // ModifyForSharedData - modify the subscription @@ -433,9 +479,24 @@ func (s *Server) HandleGetIdTranslationResult(c *gin.Context) { logger.SdmLog.Infof("Handle GetIdTranslationResultRequest") - gpsi := c.Params.ByName("ueId") + // TS 29.503 6.1.3.12.2 + // Validate SUPI and GPSI format the UE ID (SUPI or GPSI) + ueId := c.Params.ByName("ueId") + valid := validator.IsValidGpsi(ueId) || validator.IsValidSupi(ueId) + if !valid { + problemDetail := models.ProblemDetails{ + Title: "Malformed request syntax", + Status: http.StatusBadRequest, + Detail: "UE ID is invalid", + Cause: "MANDATORY_IE_INCORRECT", + } + logger.SdmLog.Warnln("UE ID is invalid") + c.Set(sbi.IN_PB_DETAILS_CTX_STR, http.StatusText(int(problemDetail.Status))) + c.JSON(int(problemDetail.Status), problemDetail) + return + } - s.Processor().GetIdTranslationResultProcedure(c, gpsi) + s.Processor().GetIdTranslationResultProcedure(c, ueId) } func (s *Server) HandleGetMultipleIdentifiers(c *gin.Context) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-p9hg-pq3q-v9gvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33191ghsaADVISORY
- github.com/free5gc/free5gc/security/advisories/GHSA-p9hg-pq3q-v9gvghsax_refsource_CONFIRMWEB
- github.com/free5gc/udm/commit/88de9fa74a1b3f3522e53b4cfa2d184712ffa4eeghsax_refsource_MISCWEB
- github.com/free5gc/udm/pull/79ghsaWEB
News mentions
0No linked articles in our index yet.