Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-60632

CVE-2025-60632: Free5gc Free5gc DOS Vulnerability

CVE-2025-60632 is a denial of service vulnerability in Free5gc v4.0.0 and v4.0.1 that allows attackers to disrupt services via crafted POST requests. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-60632 Overview

CVE-2025-60632 is a denial-of-service vulnerability affecting Free5GC versions 4.0.0 and 4.0.1. Free5GC is an open-source 5G core network implementation used in research, testing, and production 5G deployments. An attacker can trigger the flaw by sending a crafted POST request to the Npcf_BDTPolicyControl API. The affected component is the Policy Control Function (PCF), which handles Background Data Transfer (BDT) policy negotiation. Successful exploitation causes the affected service to crash, disrupting 5G core network operations. The vulnerability is categorized under [CWE-617] Reachable Assertion, indicating that malformed input reaches an assertion or unreachable code path in the API handler.

Critical Impact

A remote unauthenticated attacker can crash the Free5GC PCF service by sending a single crafted POST request to the Npcf_BDTPolicyControl API, disrupting 5G core signaling.

Affected Products

  • Free5GC 4.0.0
  • Free5GC 4.0.1
  • Free5GC Policy Control Function (PCF) — Npcf_BDTPolicyControl API

Discovery Timeline

  • 2025-11-24 - CVE-2025-60632 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-60632

Vulnerability Analysis

The vulnerability resides in the Free5GC Policy Control Function, specifically the Npcf_BDTPolicyControl API endpoint. This API is defined by 3GPP specifications and manages Background Data Transfer policy creation for network slices and application functions. When a client submits a POST request containing malformed or unexpected fields, the handler fails to validate input before processing it. The parsing path reaches a condition that terminates the process, resulting in service disruption. Because 5G core network functions communicate over HTTP/2 with JSON payloads on the Service Based Interface (SBI), the attack surface is network-reachable from any peer that can contact the PCF. In lab or exposed deployments where the SBI is not strictly segmented, a single request can knock the PCF offline.

Root Cause

The root cause is a reachable assertion or unhandled error path in the Npcf_BDTPolicyControl request handler ([CWE-617]). Rather than returning a structured HTTP error response for invalid input, the code path reaches a state that aborts the goroutine or the entire PCF process. Missing input validation on required BDT policy fields — such as aspId, numOfUes, desTimeInterval, or volPerUe — allows attackers to bypass safe parsing.

Attack Vector

Exploitation requires network access to the PCF Service Based Interface. The attacker sends a POST request to the Npcf_BDTPolicyControl API endpoint with a crafted JSON body. No authentication is required in the default Free5GC configuration, and no privileged position is needed. The result is loss of availability for the PCF, which cascades to policy-dependent 5G subscriber sessions. Refer to GitHub Free5GC Issue #705 for the maintainer discussion and reproduction context.

Detection Methods for CVE-2025-60632

Indicators of Compromise

  • Unexpected termination or restart of the Free5GC PCF process shortly after receiving inbound SBI traffic.
  • HTTP/2 POST requests to /npcf-bdtpolicycontrol/v1/bdtpolicies originating from unexpected source IPs or non-AF peers.
  • Panic or assertion failure entries in PCF logs referencing the BDT policy handler.

Detection Strategies

  • Monitor PCF service uptime and restart counts through container orchestrator or systemd telemetry.
  • Inspect SBI traffic for malformed Npcf_BDTPolicyControl payloads missing required 3GPP-defined fields.
  • Correlate PCF crash events with preceding inbound POST requests to identify the triggering source.

Monitoring Recommendations

  • Enable verbose logging on the PCF and forward logs to a central analytics platform for crash pattern analysis.
  • Alert on process termination events for the pcf binary in Kubernetes or bare-metal deployments.
  • Baseline legitimate Application Function (AF) peers and flag traffic to the BDT API from unlisted sources.

How to Mitigate CVE-2025-60632

Immediate Actions Required

  • Restrict network access to the PCF SBI to trusted 5G core peers using network policies or firewall rules.
  • Deploy a reverse proxy or API gateway in front of the PCF to enforce JSON schema validation for BDT policy requests.
  • Monitor the Free5GC GitHub repository for a fixed release addressing the Npcf_BDTPolicyControl handler.

Patch Information

At the time of publication, no fixed version is listed in the NVD entry. Track GitHub Free5GC Issue #705 and upstream commits to the PCF component for a remediation patch. Once a patched release is available, upgrade all PCF instances beyond 4.0.1.

Workarounds

  • Isolate the PCF on a dedicated management network segment accessible only to authenticated 5G core network functions.
  • Implement mutual TLS on the SBI and enforce OAuth2 authorization as recommended by 3GPP TS 33.501.
  • Rate-limit requests to the Npcf_BDTPolicyControl endpoint at the ingress layer to reduce crash-loop impact.
  • Run the PCF under a supervisor that automatically restarts the process while investigation and patching proceed.
bash
# Example: restrict PCF SBI access using iptables to a known AF peer
iptables -A INPUT -p tcp --dport 8000 -s 10.10.0.20 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.