Suse
CVE-2026-33065
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact This is an Improper Error Handling vulnerability with Information Exposure implications.
- Security Impact: The UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a 500 Internal Server Error when handling DELETE requests with an empty
supipath parameter. This leaks internal error handling behavior and makes it difficult for clients to distinguish between client-side errors and server-side failures. - Functional Impact: When a client sends a DELETE request with an empty
supi(e.g., double slashes//in URL path), the UDM forwards the malformed request to UDR, which correctly returns 400. However, UDM propagates this as 500 SYSTEM_FAILURE instead of returning the appropriate 400 error to the client. This violates REST API best practices for DELETE operations. - Affected Parties: All deployments of free5GC v4.0.1 using the UDM Nudm_SDM service with DELETE operations on sdm-subscriptions endpoint.
Patches Yes, the issue has been patched. The fix is implemented in PR free5gc/udm#79. Users should upgrade to the next release of free5GC that includes this commit.
Workarounds There is no direct workaround at the application level. The recommendation is to apply the provided patch or implement API gateway-level validation to reject DELETE requests with empty path parameters before they reach UDM.
AnalysisAI
This is an improper error handling vulnerability in free5GC's UDM (Unified Data Management) component that incorrectly converts valid 400 Bad Request responses from downstream UDR (Unified Data Repository) services into 500 Internal Server Error responses when processing DELETE requests with empty supi path parameters. An attacker or misconfigured client can exploit this by sending malformed DELETE requests to the sdm-subscriptions endpoint, causing the UDM to leak internal error handling behavior and making it difficult for legitimate clients to distinguish between client-side errors and actual server failures. This vulnerability affects free5GC v4.0.1 and is classified as an information disclosure issue (CWE-209), though no CVSS score or KEV status has been assigned and no public exploit code is currently known.
Technical ContextAI
The vulnerability exists in the free5GC UDM service (pkg:go/github.com_free5gc_udm), which is a 5G core network component implementing the Nudm_SDM (Unified Data Management - Subscription Data Management) service. The root cause is improper error handling (CWE-209) in the UDM's HTTP request processing logic. When a DELETE request is sent to the sdm-subscriptions endpoint with an empty supi path parameter (such as a double slash // in the URL path), the UDM forwards this malformed request to the downstream UDR service. The UDR correctly identifies this as a client error and returns a 400 Bad Request response. However, instead of propagating this appropriate 400 status code back to the client, the UDM wrapper incorrectly translates the 400 response into a 500 SYSTEM_FAILURE error. This violates REST API best practices and exposes internal error handling logic, allowing an observer to infer implementation details about the system's architecture and error processing behavior.
RemediationAI
The primary remediation is to upgrade free5GC to the next release following v4.0.1 that includes the fix from PR free5gc/udm#79 (commit 88de9fa74a1b3f3522e53b4cfa2d184712ffa4ee). Users can reference the patch details at https://github.com/free5gc/udm/pull/79 and https://github.com/free5gc/udm/commit/88de9fa74a1b3f3522e53b4cfa2d184712ffa4ee for verification. Until patching is feasible, implement API gateway-level validation or WAF rules to reject DELETE requests with empty or malformed path parameters (such as double slashes //) before they reach the UDM service. Network segmentation to restrict access to UDM only from trusted 5G core components will also reduce exposure. No direct application-level workaround exists without code modification.
Same weakness CWE-209 – Error Message Information Leak
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-958m-gxmc-mccm