EUVD-2025-209599CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6DescriptionNVD
Assertion failure vulnerability in the PCO (Protocol Configuration Options) parser in the SMF (Session Management Function) component of Open5GS before v2.7.5 allows remote attackers to cause denial of service via specially crafted NGAP messages containing malformed length fields in protocol configuration data.
AnalysisAI
Denial of service in Open5GS SMF component (versions before v2.7.5) allows unauthenticated remote attackers to crash the 5G core network Session Management Function by sending NGAP messages with malformed Protocol Configuration Options containing invalid length fields. The vulnerability triggers assertion failures in the PCO parser (CWE-617), causing service termination. With CVSS 7.5 (High) severity and network-accessible attack vector requiring no authentication, this poses significant operational risk to 5G networks, though the low EPSS score (0.07%, 22nd percentile) suggests limited observed exploitation attempts. No active exploitation confirmed (not in CISA KEV). Upstream fix available via commit d770787 incorporated in v2.7.5 release.
Technical ContextAI
Open5GS is an open-source implementation of 5G Core and EPC (Evolved Packet Core) for mobile networks. The Session Management Function (SMF) handles PDU session establishment, modification, and release in 5G standalone architecture. This vulnerability exists in the Protocol Configuration Options (PCO) parser within lib/proto/types.c, which processes configuration data encapsulated in NGAP (Next Generation Application Protocol) messages exchanged between the SMF and AMF (Access and Mobility Management Function). PCO/ePCO structures carry negotiation parameters like DNS addresses, IP allocation methods, and protocol-specific configuration between user equipment and the core network. The root cause (CWE-617: Reachable Assertion) occurs when the parser encounters length field inconsistencies - the code used ogs_assert() for size validation, causing immediate process termination when malformed data violated expected invariants. The commit changes defensive assertions to runtime error checks (ogs_expect/conditional error handling), allowing graceful failure instead of crash. This affects multiple protocol handlers: S5-C (GTP-C interface), Gn (GPRS core network), and GSM (NAS layer) build functions that construct session responses containing PCO data.
RemediationAI
Upgrade to Open5GS v2.7.5 or later, which includes commit d7707879c943d2c952235382154d835b5849d54e replacing vulnerable assertion-based validation with graceful error handling. The patch converts ogs_assert() calls to ogs_expect() with explicit error checking, preventing crashes when malformed PCO data is encountered. Download from official Open5GS GitHub releases (https://github.com/open5gs/open5gs/releases/tag/v2.7.5). For environments unable to immediately upgrade, implement network-level mitigations: restrict NGAP message sources to authenticated, trusted AMF/MME nodes only using IPsec or firewall rules limiting access to SMF control plane interfaces (typically SCTP port 38412 for NGAP), though this reduces attack surface rather than eliminating the vulnerability and may complicate legitimate multi-vendor interoperability. Enable verbose logging and monitoring for SMF crash/restart events to detect exploitation attempts. Note that access control mitigations assume network segmentation exists - in flat or compromised networks, attackers with network access can still reach vulnerable interfaces. No workaround fully compensates for the code-level fix; patching is the only complete remediation. Review https://github.com/open5gs/open5gs/commit/d7707879c943d2c952235382154d835b5849d54e for detailed code changes affecting lib/proto/types.c and src/smf/ message builders.
Share
External POC / Exploit Code
Leaving vuln.today