Skip to main content

Open5GS CVE-2025-14955

LOW
Improper Initialization (CWE-665)
2025-12-19 cna@vuldb.com
2.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:43 vuln.today

DescriptionCVE.org

A vulnerability was found in Open5GS up to 2.7.5. Affected by this vulnerability is the function ogs_pfcp_handle_create_pdr in the library lib/pfcp/handler.c of the component PFCP. The manipulation results in improper initialization. It is possible to launch the attack remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit has been made public and could be used. The patch is identified as 773117aa5472af26fc9f80e608d3386504c3bdb7. It is best practice to apply a patch to resolve this issue.

AnalysisAI

Improper initialization in the PFCP handler function ogs_pfcp_handle_create_pdr within Open5GS up to version 2.7.5 allows remote attackers to trigger information disclosure with high attack complexity. The vulnerability has a publicly available proof-of-concept and carries a very low EPSS score (0.15%), indicating minimal real-world exploitation probability despite public availability of exploit code. CVSS 2.9 reflects the limited technical impact (availability of confidentiality only), but the high complexity and resource requirements make practical attacks difficult.

Technical ContextAI

Open5GS is a 5G Core and EPC implementation using the PFCP (Packet Forwarding Control Protocol) defined in 3GPP TS 29.244. The vulnerability resides in lib/pfcp/handler.c within the ogs_pfcp_handle_create_pdr function, which is responsible for processing PFCP Create PDR (Packet Detection Rule) messages. The flaw involves improper initialization of data structures (CWE-665), which can leave sensitive information in uninitialized memory accessible to remote attackers over the network via PFCP protocol messages. PFCP is a control-plane protocol used between the user plane function (UPF) and control plane function (CPF) in 5G networks, typically deployed in restricted network environments.

RemediationAI

Apply the vendor-released patch identified by commit 773117aa5472af26fc9f80e608d3386504c3bdb7 to remediate improper initialization in the PFCP handler. Update Open5GS to a version containing this commit (2.7.6 or later if available via the project's release process). For environments unable to patch immediately, restrict PFCP message sources to trusted control plane entities only by implementing network-level access controls on port 8805 (standard PFCP port) - limit connections to known UPF or CPF nodes. Additionally, disable PDR creation via untrusted network paths if architectural changes are feasible. Review the GitHub issue #4182 at https://github.com/open5gs/open5gs/issues/4182 for community validation of the fix prior to deployment.

CVE-2024-40130 CRITICAL POC
9.8 Jul 16

open5gs v2.6.4 is vulnerable to Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2024-40129 CRITICAL POC
9.8 Jul 16

Open5GS v2.6.4 is vulnerable to Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2021-28122 CRITICAL POC
9.8 Mar 10

A request-validation issue was discovered in Open5GS 2.1.3 through 2.2.x before 2.2.1. Rated critical severity (CVSS 9.8

CVE-2021-25863 HIGH POC
8.8 Jan 26

Open5GS 2.1.3 listens on 0.0.0.0:3000 and has a default password of 1423 for the admin account. Rated high severity (CVS

CVE-2023-37023 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contain a reachable assertion in the `Uplink NAS Transport` packet handler. Rated high sev

CVE-2023-37021 HIGH POC
8.6 Jan 22

Open5GS MME version <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the

CVE-2023-37020 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the

CVE-2023-37019 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the

CVE-2023-37018 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the

CVE-2023-37017 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the

CVE-2023-37016 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contain an assertion that can be remotely triggered via a malformed ASN.1 packet over the

CVE-2023-37015 HIGH POC
8.6 Jan 22

Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the

Share

CVE-2025-14955 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy