87 matches found
CVE-2025-29339
An issue in UPF in Open5GS UPF versions up to v2.7.2 results an assertion failure vulnerability in PFCP session parameter validation. When processing a PFCP Session Establishment Request with PDN Type=0, the UPF fails to handle the invalid value propagated from SMF or via direct attack, triggerin...
CVE-2025-29339
An issue in UPF in Open5GS UPF versions up to v2.7.2 results an assertion failure vulnerability in PFCP session parameter validation. When processing a PFCP Session Establishment Request with PDN Type=0, the UPF fails to handle the invalid value propagated from SMF or via direct attack, triggerin...
CVE-2025-29339
Open5GS UPF (up to v2.7.2) is affected by CVE-2025-29339. An assertion failure occurs during PFCP Session Establishment Requests when PDN Type is 0, due to improper handling of an invalid value propagated from SMF (or via direct attack), leading to a fatal assertion and daemon crash. The vulnerab...
CVE-2024-51179
An issue in Open 5GS v.2.7.1 allows a remote attacker to cause a denial of service via the Network Function Virtualizations NFVs such as the User Plane Function UPF and the Session Management Function SMF, The Packet Data Unit PDU session establishment process...
CVE-2024-51179
An issue in Open 5GS v.2.7.1 allows a remote attacker to cause a denial of service via the Network Function Virtualizations NFVs such as the User Plane Function UPF and the Session Management Function SMF, The Packet Data Unit PDU session establishment process...
CVE-2024-51179
Open5GS v2.7.1 is affected by CVE-2024-51179, allowing a remote attacker to cause a denial of service via Network Function Virtualizations (NFVs) such as the User Plane Function (UPF) and the Session Management Function (SMF) during PDU session establishment. The vulnerability’s root cause and im...
CVE-2023-47346
Buffer Overflow vulnerability in free5gc 3.3.0, UPF 1.2.0, and SMF 1.2.0 allows attackers to cause a denial of service via crafted PFCP messages...
Buffer overflow
Buffer Overflow vulnerability in free5gc 3.3.0, UPF 1.2.0, and SMF 1.2.0 allows attackers to cause a denial of service via crafted PFCP messages...
CVE-2023-47346
Buffer Overflow vulnerability in free5gc 3.3.0, UPF 1.2.0, and SMF 1.2.0 allows attackers to cause a denial of service via crafted PFCP messages...
CVE-2023-47346
Buffer Overflow vulnerability in free5gc 3.3.0, UPF 1.2.0, and SMF 1.2.0 allows attackers to cause a denial of service via crafted PFCP messages...
CVE-2023-47346
CVE-2023-47346 affects free5gc 3.3.0, UPF 1.2.0, and SMF 1.2.0. The root cause is a Buffer Overflow in PFCP message handling, which can be exploited to cause a Denial of Service. Several sources confirm the vulnerability and its impact; remediation guidance consistently states upgrading to a fixe...
CVE-2023-47346
Buffer Overflow vulnerability in free5gc 3.3.0, UPF 1.2.0, and SMF 1.2.0 allows attackers to cause a denial of service via crafted PFCP messages...
seuelectronica.upf.edu Open Redirect vulnerability OBB-3391677
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
CVE-2022-39063
When Open5GS UPF receives a PFCP Session Establishment Request, it stores related values for building the PFCP Session Establishment Response. Once UPF receives a request, it gets the fteidlen from incoming message, and then uses it to copy data from incoming message to struct fteid without...
Server side request forgery (ssrf)
When Open5GS UPF receives a PFCP Session Establishment Request, it stores related values for building the PFCP Session Establishment Response. Once UPF receives a request, it gets the fteidlen from incoming message, and then uses it to copy data from incoming message to struct fteid without...
CVE-2022-39063
When Open5GS UPF receives a PFCP Session Establishment Request, it stores related values for building the PFCP Session Establishment Response. Once UPF receives a request, it gets the fteidlen from incoming message, and then uses it to copy data from incoming message to struct fteid without...
CVE-2022-39063
When Open5GS UPF receives a PFCP Session Establishment Request, it stores related values for building the PFCP Session Establishment Response. Once UPF receives a request, it gets the fteidlen from incoming message, and then uses it to copy data from incoming message to struct fteid without...
CVE-2022-39063
Open5GS UPF contains a vulnerability (CVE-2022-39063) in PFCP Session Establishment handling: on receiving a request, it copies data into f_teid without validating the maximum length, so if pdi.local_f_teid.len exceeds the bound, memcpy overwrites fields (e.g., f_teid_len) after f_teid, and the o...
Open5GS 安全漏洞
Open5GS is an open source implementation in C of 5G Core and Epc, the core network of the Lte/Nr network. A security vulnerability exists in Open5GS version 2.4.9 and earlier, which stems from the fact that if pdi.localfteid.len exceeds the maximum length of the fteid structure, memcpy overwrites...
CVE-2021-45462
In Open5GS 2.4.0, a crafted packet from UE can crash SGW-U/UPF...