VYPR

Go modules package

github.com/free5gc/udm

pkg:golang/github.com/free5gc/udm

Vulnerabilities (7)

  • CVE-2026-42459HigMay 27, 2026
    affected <= 1.4.3

    free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the free5GC UDM component fails to validate the supi path parameter in six GET handlers of the nudm-sdm (Subscriber Data Management) service. An unauthenticated attacker can inject control characters

  • CVE-2026-33192Mar 20, 2026
    affected < 1.4.2fixed 1.4.2

    Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. In versions prior to 1.4.2, the UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a 500 Internal Server Error when handling PATCH requests with an empty supi path

  • CVE-2026-33065Mar 20, 2026
    affected < 1.4.2fixed 1.4.2

    Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. In versions prior to 1.4.2, the UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a 500 Internal Server Error when handling DELETE requests with an empty supi path

  • CVE-2026-33064Mar 20, 2026
    affected < 1.4.2fixed 1.4.2

    Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to procedure panic caused by Nil Pointer Dereference in the /sdm-subscriptions endpoint. A remote attacker can cause the UDM service to panic an

  • CVE-2026-33191Mar 20, 2026
    affected < 1.4.2fixed 1.4.2

    Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to null byte injection in URL path parameters. A remote attacker can inject null bytes (URL-encoded as %00) into the supi path parameter of the

  • CVE-2025-60633Nov 24, 2025
    affected <= 1.4.0

    An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via the Nudm_SubscriberDataManagement API.

  • CVE-2023-46324Oct 23, 2023
    affected < 1.2.0fixed 1.2.0

    pkg/suci/suci.go in free5GC udm before 1.2.0, when Go before 1.19 is used, allows an Invalid Curve Attack because it may compute a shared secret via an uncompressed public key that has not been validated. An attacker can send arbitrary SUCIs to the UDM, which tries to decrypt the