Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionGitHub Advisory
Summary
The free5GC UDM component fails to validate the supi path parameter in six GET handlers of the nudm-sdm (Subscriber Data Management) service. An unauthenticated attacker can inject control characters into the SUPI parameter, causing UDM to forward a malformed request to UDR and return a 500 Internal Server Error response that exposes internal infrastructure details.
Affected Package
- Ecosystem: Go
- Package:
github.com/free5gc/udm - Affected versions:
<= v1.4.2 - Patched versions: none yet
Details
The following handlers in internal/sbi/api_subscriberdatamanagement.go do not call validator.IsValidSupi() before passing the supi parameter to the processor:
HandleGetSmfSelectData-GET /:supi/smf-select-dataHandleGetSupi-GET /:supiHandleGetTraceData-GET /:supi/trace-dataHandleGetUeContextInSmfData-GET /:supi/ue-context-in-smf-dataHandleGetNssai-GET /:supi/nssaiHandleGetSmData-GET /:supi/sm-data
By contrast, HandleGetAmData in the same file correctly validates the supi parameter:
// HandleGetAmData - correctly validates (not vulnerable)
supi := c.Params.ByName("supi")
if !validator.IsValidSupi(supi) {
c.JSON(http.StatusBadRequest, problemDetail)
return
}
// HandleGetSmfSelectData - missing validation (vulnerable)
supi := c.Params.ByName("supi")
// ← no validator.IsValidSupi(supi) call
s.Processor().GetSmfSelectDataProcedure(c, supi, plmnID, supportedFeatures)The malformed supi is passed to the processor which constructs a URL to forward the request to UDR. Go's net/url parser rejects the URL containing control characters and returns an error. UDM catches this error and responds with a 500 SYSTEM_FAILURE that includes the full internal UDR URL in the detail field.
This is a missed fix of CVE-2026-27642, which applied the same validator.IsValidSupi() check only to internal/sbi/api_ueauthentication.go (HandleConfirmAuth and HandleGenerateAuthData), leaving the SDM service handlers unpatched.
Proof of Concept
# Vulnerable - returns 500 with internal UDR URL exposed
curl "http://<UDM_HOST>/nudm-sdm/v2/imsi-22277%00INJECTED/smf-select-data"
curl "http://<UDM_HOST>/nudm-sdm/v2/imsi-22277%00INJECTED/nssai"
curl "http://<UDM_HOST>/nudm-sdm/v2/imsi-22277%00INJECTED/trace-data"
curl "http://<UDM_HOST>/nudm-sdm/v2/imsi-22277%00INJECTED/sm-data"
# Expected (vulnerable) response:
# HTTP 500
# {
# "title": "System failure",
# "status": 500,
# "detail": "parse \"http://udr.internal:80/nudr-dr/v2/subscription-data/imsi-22277\x00INJECTED//provisioned-data/smf-selection-subscription-data\": net/url: invalid control character in URL",
# "cause": "SYSTEM_FAILURE"
# }
# Protected endpoint (for comparison) - returns 400
curl "http://<UDM_HOST>/nudm-sdm/v2/imsi-22277%00INJECTED/am-data"
# HTTP 400
# {"title":"Malformed request syntax","status":400,"detail":"Supi is invalid","cause":"MANDATORY_IE_INCORRECT"}Impact
An unauthenticated remote attacker can send a crafted GET request to any of the six affected endpoints to obtain:
- Internal UDR hostname and port
- Full internal API path structure (
/nudr-dr/v2/subscription-data/...) - UDR API version
- Internal service naming convention
This information can be used to facilitate further attacks against the UDR or other internal 5G core components.
Recommended Fix
Add validator.IsValidSupi() to all six affected handlers, following the pattern already used in HandleGetAmData:
supi := c.Params.ByName("supi")
if !validator.IsValidSupi(supi) {
problemDetail := models.ProblemDetails{
Title: "Malformed request syntax",
Status: http.StatusBadRequest,
Detail: "Supi is invalid",
Cause: "MANDATORY_IE_INCORRECT",
}
c.Set(sbi.IN_PB_DETAILS_CTX_STR, http.StatusText(int(problemDetail.Status)))
c.JSON(int(problemDetail.Status), problemDetail)
return
}AnalysisAI
Internal infrastructure disclosure in the free5GC UDM network function (Go package github.com/free5gc/udm, versions <= v1.4.2) lets unauthenticated remote attackers leak the internal address and API layout of the UDR. Six GET handlers in the nudm-sdm Subscriber Data Management service skip the validator.IsValidSupi() check, so a SUPI path parameter containing control characters (e.g. a NULL byte) propagates into the UDM-to-UDR URL, breaks Go's net/url parser, and is echoed back inside a 500 SYSTEM_FAILURE error detail. Publicly available exploit code exists (a curl-based PoC is published in the advisory and CVSS marks exploit maturity as Proof-of-Concept), but it is not listed in CISA KEV and no EPSS score was provided; impact is limited to confidentiality of infrastructure metadata that aids further intrusion rather than direct data theft or code execution.
Technical ContextAI
free5GC is an open-source implementation of a 3GPP 5G core network written in Go. The affected component is the UDM (Unified Data Management) network function, specifically its nudm-sdm (Subscriber Data Management) service-based interface defined in internal/sbi/api_subscriberdatamanagement.go (CPE pkg:go/github.com_free5gc_udm). In 5G, the SUPI (Subscription Permanent Identifier, e.g. an IMSI-form value) is the subscriber key used to retrieve subscription data, and UDM proxies these lookups to the UDR (Unified Data Repository) over an HTTP service-based interface. The root cause is CWE-20 (Improper Input Validation): HandleGetSmfSelectData, HandleGetSupi, HandleGetTraceData, HandleGetUeContextInSmfData, HandleGetNssai, and HandleGetSmData pass the raw supi parameter straight to their processors without calling validator.IsValidSupi(), unlike the sibling HandleGetAmData handler which validates and returns HTTP 400. The processor builds a UDR URL from the attacker-controlled SUPI; control characters cause net/url to reject the string, and UDM's error handling embeds the fully-resolved internal UDR URL (host, port, /nudr-dr/v2/subscription-data/... path, and API version) in the returned error detail field. This is explicitly described as a missed fix of CVE-2026-27642, which added the same validation only to the ueauthentication handlers and overlooked the SDM handlers.
RemediationAI
No vendor-released patch identified at time of analysis - the advisory states patched versions are 'none yet,' so resolution currently requires applying the upstream-recommended source change: add the validator.IsValidSupi() guard (returning HTTP 400 MANDATORY_IE_INCORRECT) to all six unprotected handlers in internal/sbi/api_subscriberdatamanagement.go, mirroring HandleGetAmData, and rebuild/redeploy UDM from a patched fork until an official tagged release ships. Track https://github.com/free5gc/free5gc/security/advisories/GHSA-585v-hcgf-jhfr for a fixed version. Until then, apply compensating controls: enforce SBI authorization so only NRF-authorized, OAuth2-token-bearing peers can reach the nudm-sdm endpoints (trade-off: requires NRF token validation to be enabled and correctly configured across the core); place an API gateway or reverse proxy in front of UDM that rejects requests whose SUPI segment contains control or non-printable characters before they reach UDM (trade-off: adds a hop and must be kept in sync with valid SUPI grammar to avoid blocking legitimate identifiers); and restrict network reachability to the UDM SBI to the internal 5G core service mesh via mTLS and network policy, ensuring it is never exposed to untrusted networks (trade-off: none functionally, this is standard 5G core segmentation). As a stop-gap, suppress or sanitize the error detail field so 500 responses do not echo the resolved internal UDR URL (trade-off: reduces operational debugging visibility).
Same weakness CWE-20 – Improper Input Validation
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32554
GHSA-585v-hcgf-jhfr