CVE-2025-29339

An issue in UPF in Open5GS UPF versions up to v2.7.2 results an assertion failure vulnerability in PFCP session parameter validation. When processing a PFCP Session Establishment Request with PDN Type=0, the UPF fails to handle the invalid value propagated from SMF (or via direct attack), triggering a fatal assertion check and causing a daemon crash.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/open5gs/open5gs/issues/3727	Exploit Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*

History

19 Jun 2025, 00:23

Type	Values Removed	Values Added
CWE		CWE-617
References	~~() https://github.com/open5gs/open5gs/issues/3727 -~~	() https://github.com/open5gs/open5gs/issues/3727 - Exploit, Issue Tracking, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CPE		cpe:2.3:a:open5gs:open5gs::::::::
First Time		Open5gs Open5gs open5gs

23 Apr 2025, 14:08

Type	Values Removed	Values Added
Summary		(es) Un problema en UPF en versiones de Open5GS UPF hasta la v2.7.2 genera una vulnerabilidad de fallo de aserción en la validación de parámetros de sesión PFCP. Al procesar una solicitud de establecimiento de sesión PFCP con PDN tipo 0, UPF no gestiona el valor no válido propagado desde SMF (o mediante un ataque directo), lo que activa una comprobación de aserción fatal y provoca un fallo del demonio.

22 Apr 2025, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-22 17:16

Updated : 2025-06-19 00:23

NVD link : CVE-2025-29339

Mitre link : CVE-2025-29339

CVE.ORG link : CVE-2025-29339

JSON object : View

Products Affected

open5gs

open5gs

CWE

CWE-617

Reachable Assertion

7.5 /10