CVE-2025-15532 Overview
A resource consumption vulnerability has been discovered in Open5GS up to version 2.7.5. This security flaw affects the Timer Handler component, where improper handling of pool and timer exhaustion conditions can lead to resource consumption attacks. The vulnerability allows remote attackers to exhaust system resources by manipulating timer allocation requests, potentially causing service disruption in 5G core network deployments.
Critical Impact
Remote attackers can exploit improper resource handling in Open5GS Timer Handler to exhaust system resources, potentially causing denial of service in 5G core network infrastructure.
Affected Products
- Open5GS versions up to 2.7.5
- Open5GS Timer Handler component
- Open5GS GTP and PFCP transaction handling modules
Discovery Timeline
- 2026-01-17 - CVE-2025-15532 published to NVD
- 2026-01-17 - Last updated in NVD database
Technical Details for CVE-2025-15532
Vulnerability Analysis
This vulnerability stems from improper error handling in Open5GS's timer and pool allocation mechanisms. The affected code paths use fatal assertions (ogs_fatal and ogs_assert) when timer pool allocation fails, rather than graceful error handling. This design flaw means that when an attacker exhausts the timer pool through repeated requests, the application terminates unexpectedly instead of recovering gracefully.
The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption), as the system fails to properly limit resource allocation and handle exhaustion scenarios. In a 5G core network context, this could disrupt critical telecommunications infrastructure.
Root Cause
The root cause lies in the use of fatal assertions for non-fatal error conditions. In lib/core/ogs-timer.c, when ogs_pool_alloc() fails to allocate a timer object, the code calls ogs_fatal() which terminates the process. Similarly, in lib/gtp/xact.c, the use of ogs_assert(xact) after ogs_pool_id_calloc() causes process termination when the transaction pool is exhausted. This aggressive error handling converts a recoverable resource exhaustion into a complete service failure.
Attack Vector
An attacker can exploit this vulnerability remotely over the network by sending a high volume of requests that consume timer and transaction pool resources. Since the attack can be performed without authentication and the network attack vector is accessible, an external attacker could repeatedly trigger pool allocation until exhaustion occurs, causing the Open5GS process to terminate via the fatal assertion handlers.
// Vulnerable code in lib/core/ogs-timer.c (before patch)
ogs_pool_alloc(&manager->pool, &timer);
if (!timer) {
- ogs_fatal("ogs_pool_alloc() failed");
+ ogs_error("Failed to allocate timer object from pool");
return NULL;
}
Source: GitHub Commit Update
// Vulnerable code in lib/gtp/xact.c (before patch)
ogs_assert(hdesc);
ogs_pool_id_calloc(&pool, &xact);
- ogs_assert(xact);
+ if (!xact) {
+ ogs_error("Maximum number of xact[%lld] reached",
+ (long long)ogs_app()->pool.xact);
+ return NULL;
+ }
xact->index = ogs_pool_index(&pool, xact);
xact->gtp_version = 1;
Source: GitHub Commit Update
Detection Methods for CVE-2025-15532
Indicators of Compromise
- Unexpected termination of Open5GS processes with fatal assertion errors in logs
- High volume of GTP or PFCP transaction requests from single or multiple sources
- Log entries containing "ogs_pool_alloc() failed" or assertion failure messages
- Unusual resource consumption patterns on Open5GS infrastructure
Detection Strategies
- Monitor Open5GS process stability and implement alerting on unexpected process terminations
- Analyze system logs for fatal assertion messages related to timer or pool allocation
- Track transaction pool utilization metrics to identify abnormal consumption rates
- Implement network traffic analysis to detect volumetric attacks targeting 5G core components
Monitoring Recommendations
- Configure process monitoring to detect and alert on Open5GS service crashes
- Set up log aggregation to capture and analyze timer handler and pool allocation errors
- Establish baseline metrics for normal pool utilization and alert on significant deviations
- Monitor network interfaces for unusual traffic patterns targeting GTP and PFCP ports
How to Mitigate CVE-2025-15532
Immediate Actions Required
- Upgrade Open5GS to a version containing commit c7c131f8d2cb1195ada5e0e691b6868ebcd8a845 or later
- Review and increase pool size configurations if experiencing legitimate high-load conditions
- Implement network-level rate limiting for GTP and PFCP traffic
- Configure automatic process restart mechanisms as a temporary mitigation
Patch Information
The vulnerability has been addressed in commit c7c131f8d2cb1195ada5e0e691b6868ebcd8a845. The patch modifies the error handling in lib/core/ogs-timer.c and lib/gtp/xact.c to use graceful error logging (ogs_error) instead of fatal assertions when pool allocation fails. This allows the application to continue operating and recover from resource exhaustion scenarios rather than terminating.
For additional details, refer to the GitHub Issue Tracker and GitHub Issue Report.
Workarounds
- Implement network-level traffic filtering to limit connection rates to Open5GS services
- Increase timer and transaction pool sizes in Open5GS configuration to delay exhaustion
- Deploy Open5GS behind a reverse proxy or load balancer with rate limiting capabilities
- Configure process supervision to automatically restart Open5GS if it terminates unexpectedly
# Configuration example - Increase pool sizes in open5gs configuration
# Edit /etc/open5gs/mme.yaml or relevant configuration file
pool:
ue: 1024 # Increase UE pool size
xact: 2048 # Increase transaction pool size
timer: 4096 # Increase timer pool size
# Implement systemd service restart on failure
# /etc/systemd/system/open5gs-mmed.service.d/override.conf
[Service]
Restart=always
RestartSec=5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
