Skip to main content

Open5GS CVE-2025-14954

LOW
Reachable Assertion (CWE-617)
2025-12-19 cna@vuldb.com
Denial Of Service Open5gs
2.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:43 vuln.today

DescriptionCVE.org

A vulnerability has been found in Open5GS up to 2.7.6. Affected is the function ogs_pfcp_pdr_find_or_add/ogs_pfcp_far_find_or_add/ogs_pfcp_urr_find_or_add/ogs_pfcp_qer_find_or_add in the library lib/pfcp/context.c of the component QER/FAR/URR/PDR. The manipulation leads to reachable assertion. It is possible to initiate the attack remotely. The attack's complexity is rated as high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 442369dcd964f03d95429a6a01a57ed21f7779b7. Applying a patch is the recommended action to fix this issue.

AnalysisAI

Reachable assertion in Open5GS up to version 2.7.6 affects the PFCP context management functions (PDR, FAR, URR, QER) in lib/pfcp/context.c, allowing remote attackers to trigger a denial of service condition via crafted PFCP messages. The vulnerability requires high attack complexity and has low availability impact, but publicly available exploit code exists. CVSS 2.9 / EPSS 0.14% indicates low real-world exploitation probability despite public POC.

Technical ContextAI

Open5GS is an open-source implementation of 3GPP 5G core network functions. The vulnerability resides in PFCP (Packet Forwarding Control Protocol) context management, specifically in the functions ogs_pfcp_pdr_find_or_add, ogs_pfcp_far_find_or_add, ogs_pfcp_urr_find_or_add, and ogs_pfcp_qer_find_or_add within lib/pfcp/context.c. These functions manage Packet Detection Rules (PDR), Forwarding Action Rules (FAR), Usage Reporting Rules (URR), and QoS Enforcement Rules (QER) - core data structures in the PFCP session management logic. CWE-617 (Reachable Assertion) indicates that invalid input can cause an assertion to fail, triggering an abnormal program termination. The vulnerability is triggered via remote PFCP protocol messages, which operate at the control plane of 5G networks.

RemediationAI

Upgrade Open5GS to version 2.7.7 or later to obtain the patched version (upstream fix available via commit 442369dcd964f03d95429a6a01a57ed21f7779b7 at https://github.com/open5gs/open5gs/commit/442369dcd964f03d95429a6a01a57ed21f7779b7). For environments unable to immediately upgrade, implement network-level controls to restrict PFCP traffic (typically UDP ports 8805) to known, trusted UPF (User Plane Function) and SMF (Session Management Function) nodes only. Monitor Open5GS logs for assertion failures (check for core dumps or abnormal process termination) and implement alerting on PFCP protocol anomalies. If upgrading, test in a staging environment first as PFCP context changes may affect session management. No vendor-documented workarounds exist beyond blocking/restricting PFCP input.

Share

CVE-2025-14954 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy